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O We consider the group isomorphism problem: given two finite groups G and H specified 

by their multiplication tables, decide if G = H. The n log ™ barrier for group isomorphism has 
withstood all attacks — even for the special cases of p-groups and solvable groups — ever since 
the n logn+ °^ generator-enumeration algorithm. In this work, we present the first significant 
improvement over n logn by showing that group isomorphism is n/ 1 / 2 ' log j> Turing reducible 

to composition-series isomorphism where p is the smallest prime dividing the order of the group. 
Q Combining our reduction with an n (p/ lo sp) algorithm for p-group composition-series isomor- 

phism, we obtain an n^ 1 / 2 ^ lo sn+o{i) a ig 0r ithm for p-group isomorphism. We then generalize our 
techniques from p-groups using Sylow bases to derive an n^ 1 / 2 - >los ™ +0 ^ ogn / loglog "' 1 algorithm 
for solvable-group isomorphism. Finally, we relate group isomorphism to the collision problem 
which allows us replace the 1/2 in the exponents with 1/4 using randomized algorithms and 1/6 
using quantum algorithms. 
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1 Introduction 



In the group isomorphism problem, we are given two finite groups G and H of order n specified 
in terms of their multiplication tables and must decide if G = H. It is not known if group 
isomorphism is P or if it is NP-complete; the strongest result is that solvable-group isomorphism 
is in NP n coNP assuming that EXP <2 i.o.-PSPACE [2]. Group isomorphism is Karp reducible to 
graph isomorphism [30] but is not known to be Gl-complete and may be easier due to the group 
structure [12]. A consequence of this reduction is that if group isomorphism is NP-complete then 
the polynomial hierarchy collapses to the second level [10, 7, 16]. 

The generator- enumeration algorithm for group isomorphism was attributed to Tarjan by Miller [29] 
who extends it to quasigroups and other objects. This algorithm works by finding a minimal gen- 
erating set K for G by brute force; any isomorphism from G to H can be defined by its action on a 
generating set so we simply consider all n) K \ maps from K into H and check if any of these extend 
to an isomorphism. This algorithm runs in n^ K ^ + °^ time which is upper bounded by n logn+ °^ 
since there is always a generating set of size log n. Lipton, Snyder and Zalcstein [25] independently 
obtained the similar result that group isomorphism can be decided in 0(log 2 n) space. These are 
still the best results for general groups. 

Faster algorithms have been obtained for various special cases. Savage [36], Vikas [38] and 
Kavitha [21] all showed polynomial-time algorithms for Abelian groups. Le Gall [15] gave a 
polynomial-time algorithm for groups consisting of a semidirect product of an Abelian group with 
a cyclic group of coprime order; this was extended to a class of groups with a normal Hall subgroup 
by Qiao, Sarma and Tang [31]. Babai, Codenotti, Grochow and Qiao [3] showed an n°( loglogn ) 
time algorithm for the class of groups with no normal Abelian subgroups; the runtime was later 
improved to polynomial by Babai, Codenotti and Qiao [13, 4]. Babai and Qiao [8] showed that 
testing isomorphism of groups with Abelian Sylow towers is in polynomial time. 

Our main result is an algorithm that is faster than the generator-enumeration algorithm for 
the class of solvable groups. The solvable groups contain the nilpotent groups and hence the 2- 
nilpotent groups which are "almost Abelian" in a precise sense but are considered to be a formidable 
obstacle to efficient algorithms for general group isomorphism [3, 13, 8]. Before this work, it was a 
longstanding open problem [24] to obtain an n clo s n +0(i) algorithm where c < 1 even for p-groups 
(which are groups of order a power of the prime p) . 

Theorem 1.1. Solvable- group isomorphism is in n (V 2 ) lo B P »H-0(iogra/iogiogra) time where p is the 
smallest prime dividing the order of the group. 

In the case of randomized and quantum algorithms, we can replace the 1/2 by 1/4 and 1/6 
respectively. We note that, although not all groups are solvable, solvable groups are quite gen- 
eral. Every nilpotent group (and hence every p-group) is solvable. More generally, groups of odd 
order [14] or of order p a q b where p and q are prime [32] are solvable. Empirically, the proportion 
of 2-groups among the finite groups of order at most N tends to 1 as iV approaches infinity [9]; 
therefore, the density of the solvable groups in the finite groups also tends to 1. 

We start by reducing group isomorphism to composition-series isomorphism (which we define 
shortly). 

Theorem 1.2. Group isomorphism is rS l l 2 ^ og p n+0<y1 ^ time deterministic Turing reducible to composition- 
series isomorphism where p is the smallest prime dividing the order of the group. 
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A composition series S is a tower of subgroups Go = {e}<- • -<G m = G such that no additional 
subgroups can be inserted. The factor groups Gj+i/Gj are called the composition factors of S. We 
say that two composition series Go = {e}<- • -<G m = G and Hq = {e}<- • -<H m = H are isomorphic 
if there is an isomorphism (ft : G — > H such that <ft[Gi] = Hi for all i. In the composition- series 
isomorphism problem, we are given composition series S and S' where the subgroups are specified 
by their corresponding subsets and must decide whether S = S' . 

Wagner [39] showed a Karp reduction from composition-series isomorphism to low-degree graph 
isomorphism [26, 6, 5]. Using this reduction, he gave an algorithm for p-group composition 

series isomorphism using an algorithm 1 for isomorphism of graphs of degree at most d. 

Wagner's reduction also applies to general groups, but produces graphs of large degree when there 
are large composition factors. Wagner reduced the degrees by using a modification of the generator- 
enumeration algorithm to guess the action of the isomorphism on large composition factors; the 
graphs are then modified to enforce this mapping. This would have yielded an n ^ & n / io ^°& n ) 
algorithm for isomorphism of composition series for arbitrary groups. Unfortunately, the resulting 
graphs depend on which coset representatives are chosen so the algorithm is flawed. After being 
contacted by the author, Wagner attempted to fix this error in two subsequent revisions [40, 41]; 
unfortunately, these contain a more subtle manifestation of the same flaw. Wagner retracted his 
attempted fix in the latest revision of his paper [42] after additional discussions with the author 
(see Appendix E.) However, we will show that Wagner's generator-fixing trick can still be salvaged 
in a special case which we utilize in our algorithm for solvable groups. 

Another result of Wagner [39] is a reduction from group isomorphism to composition-series 
isomorphism. This reduction is based on guessing generators for the composition series and is no 
more efficient than the generator-enumeration algorithm. Wagner combined this with the reduction 
from p-group composition-series isomorphism to graph isomorphism to obtain an algorithm for p- 
group isomorphism that is no faster than the generator-enumeration algorithm. 

By instead using our more efficient n^ 1 ^ 2 ^ l ° s p n+ °^ time reduction from group isomorphism 
to composition-series isomorphism, we obtain an algorithm for p-groups that is faster than the 
generator-enumeration algorithm when p is small. When p is large, the generator-enumeration 
algorithm runs in n log p n+ °^ time since every p-group has a generating set of size log p n. Choosing 
whichever algorithm is faster based on p and n yields the following result. 

Theorem 1.3. p-group isomorphism is in n( 1 / 2 ) logn+ °( 1 ) time 2 . 

The first technical contribution of this work is our idea of guessing the intermediate subgroups of 
the composition series directly rather than guessing their generators. Our improved n^ 1 / 2 ) log p n +°( 1 ) 
time reduction from group isomorphism to composition-series isomorphism is a direct consequence 
of this innovation. The rS l ^ 2 ^ log p n+oly1 ^ bound is obtained by building up a composition series 
for the socle of G (denoted soc(G)) whose subgroups are direct products. The number of choices 
for the first subgroup in the series is bounded by the order of G. For each subsequent subgroup, 
the number of choices is reduced by a factor of p where p is the smallest prime that divides the 
order of G. Taking the product of the number of choices at each step, we obtain a product of 
the first log p |soc(G)| powers of p. Summing the exponents, the 1/2 then falls out of the formula 

1 There is actually an n °( d / lo s d ) algorithm [5] for isomorphism of graphs of degree at most d which yields an 
n o( P / iog P ) algorithm 

2 We remark that we have logn here rather than log p n as in the algorithm for solvable groups; this is the price we 
pay for reducing the lower-order term to O(l) in the case of p-groups. 
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^2 i= ii = k(k + l)/2. We obtain the rest of the composition series by recursively computing a 
composition series for G/soc(G) and lifting back to subgroups of G. 

It is important to note that when the intermediate subgroups in the composition series are 
determined by guessing generators as in Wagner's algorithm, the number of possible choices for 
each subsequent subgroup does not reduce by a factor of p at each step. This yields an upper 
bound of n log p ra+ °( 1 ); to obtain the factor of 1/2 in the exponent of our result, it is crucial that we 
consider all possible intermediate subgroups at each step instead of guessing generators. 

Our second technical innovation allows us to generalize Theorem 1.3 to the class of solvable 
groups. By extending the techniques in the proof of Theorem 1.2 using the theory of Sylow bases, we 
derive a Turing reduction from solvable-group isomorphism to Hall composition-series isomorphism 
(a variant of composition-series isomorphism which we define later). 

Theorem 1.4. Solvable-group isomorphism is n^ 1 ^ 2 ^ l ° s p n+ °^ time deterministic Turing reducible 
to Hall composition-series isomorphism where p is the smallest prime dividing the order of the 
group. 

By generalizing the reduction from composition-series isomorphism to low-degree graph iso- 
morphism, we show that Hall composition-series isomorphism is polynomial-time Karp reducible 
to low-degree graph isomorphism. Theorem 1.1 then follows from Theorem 1.4 and the n O(d/logd) 
algorithm [5] for testing isomorphism of graphs of degree at most d. 

We also show a reformulation of group isomorphism as a collision problem which further reduces 
the constants in the exponents by a factor of 1/2 using randomized algorithms or a factor of 1/3 
using quantum algorithms. To apply this trick to reduce the 1/2 in the exponents of Theorems 1.1 
- 1.4 to 1/4 and 1/6 for randomized and quantum algorithms, it is necessary to use the 
algorithm [6, 5] for computing canonical forms of graphs of degree at most d instead of using the 
n O(d/\ogd) g ra ph-isomorphism testing algorithm. We start by fixing an isomorphism (f> : G —¥ H. 
This isomorphism can be used to define a bijection from the set S of all composition series for G 
and the set S' of all composition series for H that we consider. Thus, each composition series S G S 
for G is paired with some composition series S' £ S' for H. We guess n < - 1//4 ^ log p ri+ °^ 1 ' ) composition 
series uniformly at random from both S and S'; a collision detection argument implies that if G = H 
then with high probability we guessed some pair of composition series S £ S and S' £ S' which 
are also isomorphic. We then determine if an isomorphic pair exists by constructing a graph from 
each composition series guessed, computing the canonical forms and sorting the resulting graphs. 
From this, we obtain 1/4 for randomized algorithms. The 1/6 for quantum algorithms follows from 
using quantum claw detection [11] instead of selecting S and S' uniformly at random. 

By modifying the generator-enumeration algorithm to perform group canonization, we can 
also apply our randomized and quantum speedups to the generator enumeration algorithm using 
the same tricks (see Appendix C for the details). This yields ra (1/2) log p and n (1/3)log p n+ ° (1) 
randomized and quantum algorithms for testing isomorphism of arbitrary groups. 

The deterministic variants of our algorithms also apply to the group canonization problem. 
Here, the goal is to compute a multiplication table of a group with the underlying set [n] which is 
isomorphic to the original group and uniquely identifies its isomorphism class. We accomplish this 
by computing the canonical form of the graph for each composition series using the algorithm 
for canonization of graphs of degree at most d. We then select the canonical form that comes first 
lexicographically. Since a multiplication table can be extracted from this graph in deterministic 
polynomial time, we obtain an algorithm for group canonization. The details are presented in 
Appendix D. 
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In Section 2, we provide a review of standard group theory facts which are used in the rest 
of our paper. In Section 3, we present a formalized variant of Wagner's reduction and prove its 
correctness. In Section 4, we derive results on lifting composition series from factor groups and 
bounds on the number of composition series that must be considered. In Section 5, we prove the 
correctness of our Turing reductions from group isomorphism to composition-series isomorphism. 
In Section 6, we derive our algorithms for p-group isomorphism. In Section 7, we review the theory 
of Sylow bases which we utilize in our construction. Before presenting the full algorithm for solvable 
groups, we provide a sketch in Section 8. In Section 9, we show our reduction from solvable-group 
isomorphism to Hall composition-series isomorphism. In Section 10, we reduce Hall composition- 
series isomorphism to graph isomorphism. In Section 11, we leverage our machinery to obtain our 
algorithms for solvable-group isomorphism. Due to length constraints, we omit some proofs and 
sketch others. We direct the reader to the full version [35] for complete proofs of all results. 

2 Group theory background 

In this section, we review some standard results from group theory; we omit the proofs. Some of 
these are given for convenience in Appendix F; the rest may be found in group theory and algebra 
texts [32, 22, 18, 34, 1, 43, 33]. Readers familiar with group theory may wish to skip this section. 

Let G and H be groups. Throughout this paper, we assume all groups are finite and let n = \G\. 
We let Iso(G, H) denote the set of all isomorphisms from G to H. The conjugation of x by g is 
written as x 9 = gxg~ x \ the bijections i g : G — > G : x i-> x 9 are the inner automorphisms of G. 
A normal subgroup N of G (denoted N < G) is a subgroup that is closed under conjugation by 
elements of G. The normal closure of subset S is the smallest normal subgroup of G containing 
S and is equal to (S G ). The coset of an element g G G for a subgroup H < G is the set gH = 
{gh | h e H}. The canonical map ip : G — > G/N : g >->■ gN sends each element of G to its coset. We 
say that H is a characteristic subgroup of G (denoted H char G) if every automorphism 4> £ Aut(G) 
satisfies 4>[H] = H. The center of G (denoted Z(G)) is the subgroup of the elements that commute 
with all of G. For a prime p, a p-group is a group of order a power of p. This is equivalent to the 
condition that every element of the group has order a power of p. A Sylow p-subgroup of G is a 
p-subgroup of order p e where p e is the largest power of p dividing n. A Sylow subgroup of G is a 
Sylow p-subgroup for some prime p. 

A group is called simple if it has no nontrivial proper normal subgroups. A group is character- 
istically simple if it has no proper nontrivial characteristic subgroups. A minimal normal subgroup 
N of G is a nontrivial normal subgroup of G that does not properly contain any nontrivial normal 
subgroup of G. The socle of a group G is denoted soc(G) and is the (characteristic) subgroup 
generated by the minimal normal subgroups of G. A subnormal series S of a group G is a tower of 
subgroups Go = {e}<- • -<iG m = G. The groups Gj+i/Gj are called the factors of S. A composition 
series of a group G is a maximal subnormal series for G. The factors of a composition series are 
called composition factors] by the Jordan-Holder Theorem (cf. [32, 34]), the multiset of composition 
factors is uniquely determined by G so they are also called the composition factors of G. A group is 
solvable if it has a subnormal series in which each factor is Abelian. A normal series is a subnormal 
series in which each Gi < G. A central series is a normal series where each d+i/Gi < Z(G/Gi). 
A group is nilpotent if it has a central series. Thus, every nilpotent group is solvable. A group is 
k-nilpotent if it has a central series of length k. 

We shall make use of the following results. 
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Proposition 2.1 (cf. [18, 43]). Every minimal normal subgroup is characteristically simple. 

Proposition 2.2 (cf. [32, 18, 43]). A group is characteristically simple if and only if it is the direct 
product of isomorphic simple groups. 

Proposition 2.3 (cf. [32, 18]). The socle of a group is a direct product of minimal normal subgroups. 

Together, the last three propositions imply that the socle can be written as a direct product 
of some subset of its simple minimal normal subgroups. We shall make use of this fact in our 
reduction from group isomorphism to composition-series isomorphism. Note that the direct prod- 
uct decomposition of the socle is not unique. The next proposition allows us to compute this 
decomposition. 

Proposition 2.4 (cf. [37]). The socle and minimal normal subgroups can be computed in polynomial 
time. 

Theorem 2.5 (First Sylow Theorem, cf. [32, 22, 34, 1, 33]). Let G be a group and let p be a prime 
that divides its order. There exists a Sylow p-subgroup of G. 

Theorem 2.6 (Second Sylow Theorem, cf. [32, 22, 34, 1, 33]). All Sylow p-subgroups of G are 
conjugate. 

Proposition 2.7 (Kantor [20]). A Sylow p-subgroup of a group G can be computed in polynomial 
time. 

3 A Karp reduction from composition-series isomorphism to low- 
degree graph isomorphism 

In this section, we present a variant of Wagner's Karp reduction from composition-series isomor- 
phism to graph isomorphism and supply the correctness proof claimed in the introduction. The 
main ideas are essentially the same; however, we fill in several gaps in Wagner's arguments and 
define the construction precisely so that rigorous proofs are possible. Finally, we adapt the reduc- 
tion to perform composition-series canonization instead of isomorphism testing. First, we define 
isomorphisms for composition series. 

Definition 3.1. Let S be the subnormal series Gq = {e}< - ■ -^Gm = G and let S' be the subnormal 
series Hq = {e} < ■ ■ ■ < H m = H. An isomorphism <\> : G — > H respects S and S' if 4>{Gi) = Hi for 
all i. We say that an isomorphism (p : G — > H which respects S and S' is an isomorphism from S 
to S'. 

We shall make use of the following result. 

Theorem 3.2 (Babai, Kantor and Luks [5]). Isomorphism of graphs of degree at most d is in 
n O(d/\o g d) Ume _ 
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A closely related problem is graph canonization. Here, we are given a graph and must compute 
its canonical form. This is a graph which is isomorphic to the original graph and has the property 
that two graphs are isomorphic if and only if their canonical forms are equal. 

In a colored graph, each vertex has an associated color. Let X\ and X2 be colored graphs. An 
isomorphism <p : X\ — > X2 must also respect the colors so that a node x G X\ has color k if and 
only if (p(x) G X2 has color k. We will use the following algorithm for colored graph canonization. 

Theorem 3.3 (Babai, Kantor and Luks [6, 5]). Canonization of colored graphs of degree at most 
d is in time. 

We now construct a tree by starting with the whole group G and decomposing it into its 
cosets G/G m -i; we then further decompose each coset in G/G m ^\ into the cosets G/G m -2 that it 
contains. This process is repeated until we reach the trivial group Go = {e}. We make this precise 
with the following definition. 

Definition 3.4. Let G be a group and consider the composition series S given by the subgroups 
Go = {e} <]•••<] G m = G. Then T(S) is defined to be the tree whose nodes are \J { G/Gi. The root 
node is G = G m which we identify with {G}. The leaf nodes are {x} G G/{e} which we identify 
with x G G. For each node xGi + \ G G/Gi + \, there is an edge to each yGi such that yGi C xGi + \. 

We now use this tree to define a graph that encodes the multiplication table of G. The idea is to 
attach a multiplication gadget to the nodes x,y,z £ G for each entry xy = z in the multiplication 
table. Naively, each node x G G would have degree Q,(n). We avoid this problem by creating a 
new tree which contains a copy of the tree T(S) for each element of G; the root nodes of these 
trees are then identified with the leaves of another copy of T(S). We then show how to construct 
multiplication gadgets so that each of the n 2 leaf nodes is involved in only a constant number of 
multiplication gadgets. This causes the resulting graph to have degree p + 0(l). The details of this 
construction are described in the following definition. 

Definition 3.5. Let G be a group and consider the composition series S given by the subgroups 
Go = {e} < ■ ■ ■ < G rn = G. To construct X(S), we start with a copy T$ ofT(S). For each x G G, 
we create an additional copy T^ of T(S) . We then combine these graphs by identifying the root 
of each T^ with the leaf x ofT$. The node for yGi in T^ is denoted (yGi)( x \- in particular, the 
leaf for y G G in T^ is denoted y^ x \ For each x,y G G, we connect three new leaves y^-\ y^) and 
y=^ to the leaf y^ in and add them to X(S). For all x,y, z G G such that xy = z, we draw 
an edge from y^ to x^) and from x^) to and color y^ "left", x^) "right" and y=^ "equal". 
We color the root node ofT$ "root"; the remaining nodes are colored "internal". 

The graph X(S) is a cone graph; that is, a rooted tree with edges between nodes at the same 
level. We call the edges that form the tree in a cone graph tree edges and the edges between nodes 
at the same level cross edges. We now show a bijection from Iso(5, S') to lso(X(S), X(S')). Our 
main contribution to the construction described in this section is a rigorous proof of this result. 

Theorem 3.6. Let S and S' be composition series for the groups G and H . Then there is a 
bijection between lso(S, S') and lso(X(S), X(S')). 

We provide a sketch and defer the complete proof to Appendix A. Consider an isomorphism <fi 
from S to S'. We define <f> to be the map from X(S) to X(S') that maps the root G of X(S) to 
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the root H of X(S'), each node x G G to </>(:c) and each y( x ) to (<f>(y))^ x ^; similarly, we define 
(j>(y^) = (<fi(y))\'^ X ^ f° r each x,y G G and A G {•<—,—>,=}. We define on the intermediate 
coset nodes by <j>(xGi) = (p[xGi\ for each xd G G/Gj and ^{(yGi)^) = {^[yGi])^^ for each 
x £ G and yGj G G/Gi. The first half of the proof involves showing that is an isomorphism 
from S to S'. It is straightforward to show that is a well-defined bijection which respects the 
colors and tree edges. The fact that <fi respects the cross edges (which encode the multiplication 
gadgets) follows easily from the assumption that 4> is an isomorphism. At this point we know that 
/ : lso(S, S') — > Iso(X(S'), X(S')) : <p i— > (p is a well-defined function. 

The second (more difficult) half of the proof is to show that / is a bijection. It is simple to 
show that / is injective since if f(<j>i) = 4>i = <t>2 = /(<fe) f° r </>i>02 e lso(S,S') then we have 

01 = 4>i =4*2 = 4>2- Showing that it is surjective is more involved. Let 9 : X(S) — > X(S') 
G G 

be an isomorphism. Because of our coloring of the nodes, we know that 9 maps the root G of 
X(S) to the root H of X(S') which implies that 9 maps the k th level of X(S) to the k th level of 
X(S'). Then <f> = 6\ G : G -»• H is a bijection. We now argue that 0(y(*)) = {(f>{y))^ x)) for all 
x,y G G. This follows from the observation that the unique shortest path from x to y in X(S) 
that passes through a node colored "left" and then one colored "right" goes through the node 
and later x^ y \ To show that eft is an isomorphism from G to H, we note that for all x,y G G with 
z = xy,6 maps the multiplication gadget (y^.s^^W) to ((<Ky)) (<Ka:)) , O^z)) ^, (<Ky)) 
which implies that (j){xy) = <fi(x)(f>(y). The fact that 4>[Gi] = Hi for each i follows by considering 
the action of 9 on the descendants of the node Gj which are contained in G. 
The correctness of our reduction follows. 

Corollary 3.7. Let S and S' be composition series. Then S = S' if and only if X(S) = X(S'). 

In order to obtain an efficient algorithm for p-group composition-series isomorphism, we must 
show that the degree of the graph is not too large. 

Lemma 3.8. Let G be a group with a composition series S such that a is an upper bound for the 
order of any factor. Then the graph X(S) has degree at most max{a + 1,4} and size 0(n 2 ). 

Proof. The tree T(S) has size 0(n) and X(S) contains n + 1 copies of this tree. Connecting three 
additional nodes y{ x ^ to each leaf y^ in each T^ only increases the number of nodes by a constant 
factor. Thus, X(S) has 0(n 2 ) nodes. Let x,y G G. The degree of the leaf node x^ is 4 since it 
is connected to its three children x^ where A G {<—, — >, =} and its parent. By construction, the 
degree of any internal node is at most a + 1 . □ 

We are now in a position to obtain an algorithm for composition-series isomorphism. 

Theorem 3.9. Let G and H be groups with composition series S and S' such that a is an upper 
bound for the order of any factor. Then we can test if S = S' in n W lo s») time. 

Proof. We can compute the graphs X(S) and X(S') in polynomial time. By Corollary 3.7, S = S' 
if and only if X(S) = X(S') so this reduction is correct. By Lemma 3.8, the number of nodes in 
X(S) is 0(n 2 ) and the degree is at most max{a + 1, 4} = O(a). We remove the colors by attaching 
copies of paths of lengths 1, 2, 3 and 4 to the nodes colored "left", "right", "equal" and "root." 
We simply discard the "internal" color. This increases the number of nodes by a constant factor. 
Then we test if X(S) ^ X(S') in n °( a / lo s a ) time using Theorem 3.2. □ 
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For the randomized and quantum variants of our algorithm, it is necessary to adapt Theorem 3.9 
to composition-series canonization. First, we define complete polynomial-size invariants. 

Definition 3.10. Let S be a composition series for a group G. A complete polynomial- size invariant 
Inv(S') for S has the following properties: 

(a) If S and S' are composition series for the groups G and H then S = S' if and only if 
Inv(S) =Inv(5'). 

(b) |Inv(5)| = poly(n). 

Definition 3.11. Let S be a composition series for a group G. We define the canonical form 
Can(S') to be a tuple (M, ip(Go), . . . , ip(G m )) with following properties: 

(a) M is an n x n matrix with entries in [n]. 

(b) M is the multiplication table for a group which is isomorphic to G under ip : G — >■ [n]. 

(c) Can(S') is a complete polynomial- size invariant. 

In the composition- series canonization problem, we are given a composition series S for a group 
G and must compute Can(S'). We now give an algorithm for this problem. 

Theorem 3.12. Let S be a composition series for a group G such that a is an upper bound for the 
order of any factor. Then we can compute a canonical form Can(5) for S in time. 

We give a sketch and defer the complete proof to Appendix A. Although there are many details 
that must be checked, the idea is simple. It is easy to see that C&n(X(S)) is a complete polynomial- 
size invariant for S. Moreover, because of the multiplication gadgets in the graph X(S), we can 
deterministically compute a multiplication table M(G) for a group with the underlying set [n] that 
is isomorphic to G. Let 9 be an isomorphism from X(S) to C&n(X(S)). We can find the node 
6(e) in Can(X(5)) using this multiplication table. Each node 0(Gi) is on the path from the root 
0(G) to 9(e) so we can find these nodes as well. The descendants of each 9(G{) that are contained 
in 0[G] can be used to compute the subgroup of the group described by M(G) which corresponds 
to Gj. Because this is a deterministic computation which depends only on C&n(X(S)), n and the 
composition length of G, we obtain a canonical form Can(S'). 

4 Composition series: lifting isomorphisms and bounds 

In this section, we prove some useful lemmas that are used to derive our main result. First, we 
review some standard results which are proved for convenience in Appendix G. 

Definition 4.1. Let G and H be groups with normal subgroups N and N' . Let <f> : G — > H be an 

isomorphism such that <j)[N\ = N' . Then we say that <p induces the isomorphism <j>\ G / N '■ G/N — > 
H/N' : gN i-> 4>[gN\. 

Proposition 4.2. The induced isomorphism is well-defined and is indeed an isomorphism. 
The following proposition is useful in proving the correctness of our reduction. 

Proposition 4.3 (cf. [33]). Let G and H be groups with normal subgroups N and N' . Let T 

be a subnormal series Kq = {N} < ■ ■ ■ <i K m = G/N for G/N and let T' be a subnormal series 
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Lo = {N'} < ••• < L m = H/N' for H/N' . Denote the canonical maps by <p : G — > G/N and 
tp' : H —7- H/N' . Let S be the subnormal series {e} <Gq < ■ ■ ■ < G m = G and Zei S' be the subnormal 
series {e} < Hq < • • • < H m = H where Gi = ip~ l [Ki\ and Hi = <^ /_1 [Lj]. Consider an isomorphism 
<p : G — > H where 4>[N] = N' . Then <p respects S and S' if and only if the induced isomorphism 
(f)\ G/N : G/N -»• H/N' respects T and T' . 

We now prove a series of lemmas that bound the number of composition series we consider. 

Lemma 4.4. If G is a group such that p is the smallest prime that divides its order n, then G has 
at most (n — l)/(p— 1) minimal normal subgroups. 

Proof. The intersection of two normal subgroups of G is itself a normal subgroup of G so it follows 
that all minimal normal subgroups intersect trivially. By Lagrange's theorem, the order of every 
subgroup divides the order of the group. Then each minimal normal subgroup of G contains at 
least p — 1 non-identity elements that are not contained in any other minimal normal subgroup of 
G. Then if there are t minimal normal subgroups, £(p — 1) + 1 < n so i < (n — l)/(p — 1). □ 

Lemma 4.5. Let G be a group and consider N < G. If S is a simple minimal normal subgroup of 
G such that N n S = {e}, then NS/N is a simple minimal normal subgroup of G/N . 

Proof. Let S be a simple minimal normal subgroup of G that intersects N trivially. Then NS < G 
so NS/N < G/N . By the second isomorphism theorem, NS/N = S so NS/N is simple. Suppose 
that H/N < NS/N where H/N < G/N. Since NS/N is simple, H/N G {N/N, NS/N} so 
H e {iV, TVS}. Thus, NS/N is a simple minimal normal subgroup of G/iV. □ 

Corollary 4.6. Zei G be a group and consider N < G. If Si and S2 are distinct simple minimal 
normal subgroups of G such that N D Si = {e} and NS\ 7^ NS2, then NSi/N and NS2/N are 
distinct simple minimal normal subgroups of G/N. 

The next lemma is the source of the 1/2 in the exponent of the runtime of our main result. 

Lemma 4.7. Let G be a group and let p be the smallest prime that divides G. There are at most 
npi 1 / 2 ) lo s P n = n (V 2 ) lo s P "+ 1 composition series for G of the form {e} < Si < • • • < flLi s i = G where 
each Si is a simple minimal normal subgroup of G. 

Proof. First, we note that if G cannot be written as a direct product of its simple minimal normal 
subgroups then no such composition series exist so the bound holds trivially. Otherwise, there are 
at most n — 1 choices for Si by Lemma 4.4. Once we choose Si, it follows from Lemma 4.4 and 
Corollary 4.6 that there are at most n/\Si\ — 1 < n/p distinct direct products SiS^ such that S2 
is a simple minimal normal subgroup of G that intersects Si trivially. More generally, if Y\l=i & 
is a direct product where each Si is a simple minimal normal subgroup of G then there are at 
most n/J3^ =1 I Si I — 1 < n/pi distinct direct products ^111=1 Sj+i such that Sj + i is a simple 

minimal normal subgroup of G that intersects Y\i=i &i trivially. Let t = \log p n\ . Then the number 
of composition series consisting of direct products of simple minimal normal subgroups is at most 



9 



= np K^g p n-t/2-l/2) 

= np (1/2) log p " □ 

Note that we did not use the p — 1 in the denominator of Lemma 4.4 so the above analysis can 
be tightened; however, this only reduces the number of possibilities by a polynomial factor. 

5 A Turing reduction from group isomorphism to composition- 
series isomorphism 

We now present our method for constructing a composition series and prove Theorem 1.2. Guessing 
intermediate subgroups directly instead of their generators is the crucial difference between our 
method and previous work by Wagner [39] that enables us to obtain the rS l / 2 ' )log p n+0 ^ time 
Turing reduction from group isomorphism to composition-series isomorphism (p is the smallest 
prime dividing the order of the group). If we used generators for the intermediate subgroups as in 
Wagner's paper [39], we would obtain an n} og p n+ °^ time reduction. We start with a coarse-grained 
recursive group-decomposition process due to Luks [27]. 

Consider the groups G and H. We start by taking the socles of G and H to obtain the subnormal 
series {e} < soc(G) < G and {e} < soc(H) < H. We continue this process by recursively obtaining 
a decomposition of G/soc(G) and H/soc(H) and take the preimages of these series under the 
canonical maps to obtain decompositions for G and H. Any isomorphism from G to H must 
respect soc(G) and soc(H) and the inverse images obtained in the recursive decomposition process. 
We then decompose the socles into direct products of simple subgroups. This yields composition 
series for soc(G) and soc(H). The only choices we have are the towers of direct products for the 
socles. 

Our algorithm for finding a composition series of G works by first computing soc(G); we then 
construct a composition series for soc(G) where the intermediate subgroups are direct products of 
simple minimal normal subgroups of soc(G). To obtain the second half of the composition series for 
G, we recursively construct a composition series for G/soc(G); by taking the preimage of this series 
under the canonical map ip : G — > G/soc(G), we obtain a tower of subgroups of G that contain 
soc(G) such that every subgroup is normal in the next subgroup and the factor groups are simple. 
This process is described more precisely in Algorithm 1; MINIMAL-NORMAL-SUBGROUPS is an 
algorithm that takes a group and returns its minimal normal subgroups. 
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Algorithm 1 An algorithm for computing a composition series; tp : G — > G/soc(G) denotes the 
canonical map 

Input: A group G specified by its multiplication table 

Output: A composition series S for G with the intermediate subgroups that are socles or preimages 
of socles labelled "socle" 
function COMPOSITION-SERIES(G) 

S := ({e}, G) > The composition series for G will be stored here 

{Ni, . . . , N k } := MINIMAL-NORMAL-SUBGROUPS (G) 
soc(G) := UiNi 
if G is not simple then 
if soc(G) / G then 

(K < ■ ■ • < K m ) := COMPOSITION-SERIES(G/soc(G)) 
for i = 1, . . . ,m — 1 do 

Insert Gi := 9? -1 [.fQ] into S and copy the label of Ki to Gi 
end for 
end if 

T := Uti SIMPLE-SUBGROUPS^) 
K := {e} 

while K / soc(G) do 

Choose L £ T such that K n L = {e} 
K := KL 
Insert K into S 
T = 

for L g T do 

if K n L = {e} and / KL' for all L' G T' then 

Insert L into T' 
end if 
end for 
T := T 
end while 

Label soc(G) as "socle" in S 
end if 
return S 
end function 



Algorithm 2 An algorithm for computing all simple minimal normal subgroups 
Input: A characteristically simple group G specified by its multiplication table 
Output: The set of all simple minimal normal subgroups of G 

1: function SIMPLE-SUBGROUPS(G) 

2: {N u ..., N k } := MINIMAL-NORMAL-SUBGROUPS (G) 

3: return {iVj | Ni is simple} 

4: end function 



The composition series that is obtained from this process depends on which composition series 
consisting of direct products of simple minimal normal subgroups is chosen for each socle. We refer 
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to this as the choice of socle decompositions. This corresponds to the choice of simple minimal 
normal subgroups of the socles on line 15 in Algorithm 1. Each such choice results in a different 
composition series. 

It is straightforward to prove the correctness of Algorithm 1; we defer the proof to Appendix A. 

Lemma 5.1. Algorithm 1 returns a composition series for G; moreover, every subgroup in the 
series which is a socle or a preimage of a socle is labelled "socle. " 

Lemma 5.2. Algorithms 1 and 2 run in time polynomial in n. 

Proof. Algorithm 2 runs in polynomial time since we can compute all minimal normal subgroups 
by taking the normal closure of all nontrivial elements and eliminating those that are contained in 
some other normal closure. We can test if a group is simple by checking that the normal closure of 
every nontrivial element is the group. Then Algorithm 1 runs in polynomial time. □ 

Lemma 5.3. Let G and H be groups and let S be a composition series obtained by running Al- 
gorithm 1 on G. Fix an isomorphism (ft : G — > H ; then for some choice of socle decompositions, 
Algorithm 1 on H returns a composition series S' such that (ft is an isomorphism from S to S' . 

Proof. Let (ft : G H be an isomorphism. Let S' be the image of S under (ft. We claim that S' 
can be obtained by running Algorithm 1 for some choice of socle decomposition. The proof is by 
induction on the number of subgroups labelled "socle" in Algorithm 1. For the base case, G is 
simple. This is trivial since the only composition series for G and H are {e} < G and {e} < H. 

For the inductive case, let T and T 1 be the simple minimal normal subgroups of soc(G) and 
soc(.£f) which are computed on line 12. Then (ft acts as a bijection from T to T'. Let soc(G) = 
Yli=i Li be the direct product that was computed for soc(G). Then we have soc(H) = Y\i=i 4>[Li] 
and each (ft[Li\ is a simple minimal normal subgroup of soc(H) in X". Thus, (ft respects the portions 
of S and S' up to the socles for some choice of socle decompositions. If soc(G) = G then we 
are done. Otherwise, by induction, the induced isomorphism 4>\qi soc ^ '■ G/soc(G) — > H/soc(H) 
respects the composition series for G/soc(G) and H/soc(H) computed recursively on line 7 for 
some choice of socle decompositions. It follows from Proposition 4.3 that (ft respects S and S' for 
some choice of socle decompositions. □ 

We now consider all possible composition series S' for H that can be constructed according to 
Algorithm 1. First, we need a simple lemma which we prove in Appendix A. 

Lemma 5.4. The maximum value of \\x\\^ subject to the constraints that x G each X{ > 1 and 
Y? i=l Xi = t where t > d is (d - 1) + (t - {d - l)) 2 . 

Lemma 5.5. Let G be a group and let p be the smallest prime that divides its order. Then 
the number of choices of socle decompositions in Algorithm 1 is at most n 5 / 2 ^ 1 / 2 -^ 10 ^™ - ^ +1 < 
n (i/2) iog p n+o(i) wnere £ i s fo e num i) er f subgroups labelled "socle. " 

Proof. Define Fq = G, i^j+i = Fi/soc(Fi) and let <pi : Fi — > i^+i be the canonical map. We note 
that soc(Fj) is a nontrivial subgroup of Fi for i < I. Note that soc(F^_!) is the last subgroup 
labelled "socle." 

The subgroups labelled "socle" in a composition series S computed by Algorithm 1 are the 
preimages 1 • • • (f^\[soc(Fi)] for < i < i. Let rij+i = |soc(Fj)|; since soc(F^_i) < we 
know that Yl i=1 ni<n and rij > p. The number of choices of socle decompositions for the i th level 
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recursive call is bounded by the number of composition series for soc(-Fj) in which the subgroups 
are direct products of simple minimal normal subgroups of soc(-Fj). By Lemma 4.7, this is at most 
n . p (i/2)io g 2„^ Then the tQtal number of choices is at most n JlLi P (1/2) ^ = np (1/2) ^=i log p n \ 
To obtain a bound, we maximize this quantity subject to the constraints that Yli=i n i — 71 an( ^ 
Hi > p. We know that Yli=i ni = n at the maximum. Then setting x% = log p rii, this is equivalent to 
maximizing Yli=i x l = IMI2 sucn that Yli=i x i = l°gp n an d x % > 1- By Lemma 5.4, the maximum 
value is \x\^ 2 = (£—!) + (log p n — (£ — l)) 2 . Then the total number of choices is at most 

np (l/2)((^l) + (log p n-(£-l)) 2 ) < n 3/2 p (l/2)(log p n-(£-l)) 2 

= n 3/2 p (1/2)(log p ™- 2 ( lo Sp n)(e-i)+e 2 -2£+i) 

= n 3/2 p (l/2)(log2„-2(log p n)^+21og p n+£ 2 -2£+l) 

< n 5/2 p (l/2)((log p n-€) 2 +l) n 

Theorem 1.2. Group isomorphism is rS l t 2 ^ og p n+0<y1 ^ time deterministic Turing reducible to composition- 
series isomorphism where p is the smallest prime dividing the order of the group. 

Proof. Suppose we have an algorithm for composition-series isomorphism. We start by fixing 
a composition series S for G by calling Algorithm 1 on G using arbitrary choices for the socle 
decompositions. Then we compute the composition series S' for H for all possible choices of socle 
decompositions. By Lemma 5.3, S is isomorphic to one of these composition series S' if and only if 
G = H from which correctness is immediate. From Lemma 5.5, computing all of the composition 
series S' takes n^ 1 / 2 - )log p ri+ ° ( ' 1 ^ time where p is the smallest prime dividing n. □ 

We now show that this reduction can be performed more efficiently for randomized and quantum 
algorithms. Note that our results for randomized and quantum algorithms differ slightly from the 
deterministic case since it is now necessary to reduce to the slightly more powerful composition-series 
canonization problem. As we shall see, using the algorithm for graph canonization instead of the 
algorithm for testing isomorphism does not have a detrimental effect on the final runtime bounds. 
We remark that both of the following results also hold when composition-series canonization is 
replaced by the slightly weaker problem of computing a complete polynomial-size invariant. 

Theorem 5.6. Group isomorphism isn < - 1 / 4 ^ log p n+0( ' 1 ^ time randomized Turing reducible to composition- 
series canonization where p is the smallest prime dividing n. 

Proof. Let G and H be groups and consider the sets A and B of all composition series that can 
be computed for G and H using Algorithm 1 for some choice of socle decompositions. Fix an 
isomorphism (f> : G — > H. For each S G A, the image S' of S under <p is in B by Lemma 5.3. 
Conversely, the preimage S under <f> of any S' 6 B is in A by Lemma 5.3. Therefore, 4> induces a 
bijection from A to B. 

Consider the randomized algorithm that randomly selects subsets A Q A and B C B which are 
each of size n ( 1 /4)iog p n+0(i)_ i iG ^ Hj then with high probability there exist S G A and S' G B 
such that S = S' . To check if there is such a pair, we compute the canonical forms Can(S') and 
Can(S') for each Sei and S' G B; we then sort the canonical forms which result from A and B 
and store the results in the vectors A and B. This takes time at most n^ 1 / 4 ) 10 ^™" 1 " ^). By merging 
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A and B, we can check if such a pair exists in n^ 1 / 4 ) log p n +°( 1 ) time. If we find S £ A and S' £ B 
where S = S', we output G = H; otherwise, we output G p H. Then we can decide if G = H with 
one-sided error in ^(V^'ogprc+CK 1 ) time. □ 

Theorem 5.7. Group isomorphism is rS l ^^° z p n+0<y1 ^ time quantum Turing reducible to composition- 
series canonization where p is the smallest prime dividing n. 

Proof. Let G and H be groups. We apply the same argument as in the proof of Theorem 5.6 except 
that we use quantum claw detection [11] instead of guessing A C A and B C B. □ 

We remark that the methods of Theorems 5.6 and 5.7 can also be applied to the generator- 
enumeration algorithm; this yields an n^ 1 / 2 ) log p ra +°( 1 ) randomized algorithm and an n*- 1 / 3 ** log p n +°( 1 ) 
quantum algorithm for general group isomorphism (where p is the smallest prime dividing the order 
of the group). See Appendix C for the details. 

6 Algorithms for ]>group isomorphism 

The intermediate results of Sections 3 and 5 put us in a position to prove Theorem 1.3. First, we 
note that the generator-enumeration algorithm is efficient for p-groups when p is large. 

Lemma 6.1. Let G and H be p-groups. Then we can test if G = H in n l ° s p n+ °^ time. 

Proof. Observe that every p-group has a generating set of size at most log p n. □ 

The proofs of the next two lemmas are easy and we defer them to Appendix A. 

Lemma 6.2. If c\ and c 2 are positive constants then c\ log p n + c 2 p < c\ logn + O(l) for 2 < p < 
c\ In n/c 2 In 2 p. 

Lemma 6.3. If c is a positive constant then log p n = 0(logn/ log logn) for p > c Inn/ In 2 p. 
We now prove an extension of Theorem 1.3. 

Theorem 6.4. Let G and H be p-groups. Then we can test if G = H in 

(a) n^ l / 2 ^ logn+ °^ time for deterministic algorithms. 

(b) n( 1 / 4 ) logri+0 ( 1 ^ time for randomized algorithms. 

(c) n^ 1 / 6 ^ logri+ °^ 1 ^ time for quantum algorithms. 

Proof. Suppose we have an algorithm A which can decide p-group isomorphism in n Cl log p n+C2P 
time where < c\ < 1 and C2 > are constants. By Lemma 6.2, we know that n c i lo s P n + c 2p _ 
nCl io g n+o(i) for 2 < p < Cl lnn/c 2 lnV Lemma 6.3 implies that n ^ P n +°W = n O(io g n/ log logn) for 
P > ci lnn/c2 In 2 p. We can define an algorithm which runs A when 2 < p < c\ In n/c 2 In 2 p and 
runs the generator-enumeration algorithm when p > c\ In n/c 2 In 2 p. The overall complexity is then 
n ciiogn+0(i) Applying Theorems 1.2 and 3.12 together with the above argument proves part (a). 
Parts (b) and (c) follow from using Theorems 5.6 and 5.7 instead of Theorem 1.2. □ 
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We remark that in the above proof we could have used the n^ 1 ^ 2 ^ log p n+p ^ logp algorithm which 
follows from Theorems 1.2 and 3.9. In fact, one can generalize Lemmas 6.2 and 6.3 so that The- 
orem 6.4 can also be proved when our algorithms for isomorphism testing and graph of graphs of 
degree at most d run in n ^' polylog ( d ^ time. Regardless of the exact expression for the polylog(d) 
term, we still obtain the same runtime. Thus, polylog(d) factors in the exponents of graph isomor- 
phism testing and canonization algorithms are unimportant for our purposes. 

The deterministic version of our algorithm can be adapted to perform p-group canonization; 
see Appendix D for the details. 

7 Background on Sylow bases 

In this section, we cover basic properties of Sylow bases which are used later in the paper. 

Definition 7.1. Let G be a group whose order has the prime factorization n = Yli=iPT ■ A Sylow 
basis is a set {Pi | 1 < i < £} where each Pi is a Sylow pi-subgroup of G and PiPj = PjPi for all i 
and j . 

When we speak of a Sylow basis {Pi | 1 < i < £}, we always assume that each Pi is a Sylow 
^-subgroup of G. We say that the Sylow bases {Pi | 1 < i < £} of G and {Qi | 1 < i < £} of H are 
isomorphic if there exists an isomorphism <fi : G — > H such that <p[Pi] = Qi for all i. As we shall 
see, this is the case if and only if G is isomorphic to H. 

Proposition 7.2. // {Pi | 1 < i < £} is a Sylow basis of a solvable group G whose order has the 
prime factorization n = fli=i pT > then for any IC [£] 7 f\i e x Pi ^ s a subgroup of G of order fli^x Pi* ■ 

Proof. First, we remark that since {Pi | 1 < i < £} is a Sylow basis, there is no ambiguity in which 
order the product is taken. The result is clearly true when \X\ = 1. Suppose that the result holds 
for \I\ < k and let \T\ = k + 1. Choose some j G X and let P = Y\ ie x\{j} Pi- By assumption, P is a 
subgroup of G of order n«ex\{j} P? • e P anc ^ X 2,U2 £ Pj and suppose that x\X2 = y\yi- 

Then a^y^ 1 = x\ X y\ which implies that = yi since the orders of P and Pj are coprime. Thus, 
\PPj\ = TiieiPT- Because PPj = PjP, it is easy to show that PPj is a subgroup of G. □ 

This immediately implies the following. 

Proposition 7.3. If {Pi \ 1 < i < £} is a Sylow basis of a solvable group G, then every x G G is 
uniquely expressible as a product x± ■ ■ ■ where each Xi G Pi. 

The following two theorems of Hall are crucial in our utilization of Sylow bases. 

Theorem 7.4 (Hall [17], cf. [32]). A group G is solvable if and only if it has a Sylow basis. 

Two Sylow bases V = {Pi \ 1 < i < £} and Q = {Qi \ 1 < i < £} of G are conjugate if there 
exists g £ G such that for all i, Pf = Qi. We denote by V 9 the Sylow basis {Pf | 1 < i < £}. 

Theorem 7.5 (Hall [17], cf. [32]). Any two Sylow bases of a solvable group are conjugate. 

Corollary 7.6. Let G and H be isomorphic solvable groups. If {Pi \ 1 < i < £} and {Qi \ 1 < i < £} 
are Sylow bases for G and H then there is an isomorphism 4> : G — > H such that 4>[Pi] = Qi for 
each i. 

Proof. Let ijj : G — > H be an isomorphism. Clearly, {V'f-Pj] | 1 < « < ^} is a Sylow basis for H. 
Then by Theorem 7.5, there exists h £ H such that inner automorphism maps each ip[Pi] to Qi. 
Therefore, <j> = ihip ■ G — > H is an isomorphism from G to H such that 4>[Pi] = Qi for each i. □ 
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8 A sketch of the algorithm for solvable groups 



In this section, we provide a sketch of the generalization to solvable groups. The full construction is 
shown in Sections 9-11. Consider a group G whose order has the prime factorization n = Y\\ =1 p^ 
and let V = {Pi | 1 < i < £} be a Sylow basis of G. Since a group is solvable if and only if it has 
a Sylow basis, the Second Sylow Theorem implies that the number of possible choices of Sylow 
Pi-subgroups for all i is at most n l . A standard bound on the number of prime divisors of n then 
implies that we can find a Sylow basis V of a solvable group in n ( 1 +°( 1 ))( ln ™/ lnln «) time. 

Because all Sylow bases of a group are conjugate, it follows that a group has at most n Sylow 
bases. Thus, if G and H are isomorphic solvable groups, we can assume that we have Sylow bases 
V = {Pi \ 1 < i < £} and Q = {Qi \ 1 < i < £} for G and H which are mapped to each other under 
some isomorphism. We then construct a composition series Si for each Pj. For an isomorphism 
cf> : G —7- H, there exists some choice of socle decompositions of each composition series for Qi 
such that 4> is an isomorphism from Si to S[. We call (G,V,S) and (H,Q,S') Hall composition 
series where S = {Si | 1 < i < £} and S' = {S[ | 1 < i < £}. Our reduction to Hall composition- 
series isomorphism follows from considering all possible choices of S' . 

To reduce Hall composition-series isomorphism to low-degree graph isomorphism, we reindex 
the Pi and Qi so that their prime divisors are in decreasing order. We fix generators for the 
Pi,...,P K with large prime divisors and guess the corresponding generators for Qi, . . . , Q K . These 
generators induce unique orders on the elements of the subgroups P = P\ ■ ■ ■ P K and Q = Qi ■ ■ ■ Q K 
of G and H. This allows us to construct binary trees whose leaves represent the elements of P and 
Q; we fix the leaves by coloring them according to their positions in the orderings induced by the 
generators. For each x £ P, we construct a copy of the tree T(S K+ \) as for p-groups and attach its 
root to the leaf x of the binary tree for P. The leaves of the resulting tree then represent elements 
of PP K+ i; we continue in this manner by attaching a copy of the tree T(Si+\) to every leaf of the 
current tree for each i > k + 1. 

Applying the same ideas as before, we use n + 1 copies of the resulting tree together with 
multiplication gadgets to create a cone graph which represents a Hall composition-series of G. 
We then construct the same graph for H for all possible choices of Hall composition series and 
generators. The graph for G is isomorphic to one of the graphs for H if and only if G = H. 

9 A Turing reduction from solvable-group isomorphism to Hall 
composition-series isomorphism 

In this section, we describe our Turing reduction from solvable-group isomorphism to Hall composition- 
series isomorphism and thereby prove Theorem 1.4. To start, we define Hall composition-series 
isomorphism. 

Definition 9.1. In the Hall composition-series isomorphism problem, we are given two groups 
G and H specified by their multiplication tables whose orders have the prime factorization n = 
Yli=iPi % > we are a ^ so 9^ ven Sylow bases V = {Pi \ 1 < i < £} and Q = {Qi \ 1 < i < £} for G and 
H and composition series Si and S[ for each Pi and Qi. We denote the sets of composition series 
by S = {Si | 1 < i < £} and S' = {S^ \ 1 < i < £}. The subgroups of each composition series Si 
and S^ are Pio = {e} <■■■<] Pi^ m% = Pi and Qio = {e} <!■■■< Qi, mi = Qi- The Sylow bases and 
composition series are represented by the corresponding subsets of G and H. We say that S and 



16 



S' are isomorphic if there exists an isomorphism (ft : G — > H such that for all i, 4>[Pi] = Q% and 
each pair of composition series Si and S[ are isomorphic under the restriction of (ft to Pi. The Hall 
composition- series isomorphism problem is to determine if S and S' are isomorphic. 

For the sake of brevity, we call (G,V,S) a Hall composition series. Here, G, V and S are as in 
Definition 9.1. To start with, we show an algorithm for finding a Sylow basis of a solvable group 
G. For this it is convenient to use the following standard result from number theory. 

Proposition 9.2. The number of distinct prime divisors of n is at most (1 + o(l)) ^™ n . 

Lemma 9.3. Let G be a solvable group whose order has the prime factorization n = Y[i=iPi*- 
Then in n^ 1+ °^^ lnn/ ' lnlnn ) time, we can compute a Sylow basis of G. 

Proof. Theorem 7.4 implies that G has a Sylow basis. By Proposition 2.7, we can find a Sylow 
Pi-subgroup Pi of G for each i in polynomial time. By the Second Sylow Theorem, for each i there 
exists gi G G such that V = {Pf 1 | 1 < i < £} is a Sylow basis of G. For any choices of gi € G, we 
can test if {Pf i | 1 < i < £} is a Sylow basis of G in polynomial time by checking if the relations 
Pf x Pj j = Pj j Pf l hold for all i and j. We simply enumerate all possible gi, . . . ,gt £ G to find 
a Sylow basis. Since the order p^ of each Pi divides n, the number of Sylow subgroups of G for 
distinct primes is at most the number of distinct prime divisors of n. The bound on the runtime is 
immediate from Proposition 9.2. □ 

Lemma 9.3 suffices for the purposes of this paper. However, finding a Sylow basis for a solvable 
group can be done in polynomial time. 

Lemma 9.4. Let G be a solvable group whose order has the prime factorization n = Yli=iPT- 
Then we can compute a Sylow basis of G in polynomial time. 

The proof is based on other results by Hall. See Appendix B for the details. This can also be 
derived from a result of Kantor and Taylor [19]. We now bound the number of Hall composition 
series in analogy to Lemma 5.3. 

Lemma 9.5. Let G and H be groups whose orders have the prime factorization n = Yi^iPT 
such that V = {Pi | 1 < i < £} and Q = {Qi | 1 < i < £} are Sylow bases for G and H . Fix an 
isomorphism (ft : G — > H which is also an isomorphism from V to Q. For each i, let Si be a 
composition series for Pi obtained by running Algorithm 1 on G. Then for some choice of socle 
decompositions, running Algorithm 1 on each Qi returns a composition series S[ such that (ft is an 
isomorphism from Si to S[ . 

Proof. Let (fti = (ft\ p _ : Pi — > Qi for each i and apply Lemma 5.3 to each Si and (fti. □ 

An extension of the bound of Lemma 5.5 is also required. 

Lemma 9.6. Let G be a group and let p be the smallest prime that divides its order. Then there 
are at most n*- 1 ^ log p ra + ( 1 ) Hall composition series (G,V,S) which can be obtained by some choice 
of Sylow basis V = {Pi \ 1 < i < £} and some S = {Si \ 1 < i < £} where each Si is a composition 
series for Pi £ V which results from some choice of socle decompositions in Algorithm 1. 
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Proof. By Theorem 7.5, there are at most n choices of a Sylow basis V for G. Suppose the order 
of G has the prime factorization n = Y[i=iPi l - By Lemma 5.5, the number of choices for each 
composition series Si for Pi which can be obtained by some choice of socle decompositions in 
Algorithm 1 is at most p( 1 / 2 ^ e i + °( et \ Then the total number of choices of socle decompositions for 
all Si is at most 



IJ p (V^(e*) =I j( p O(e i)p (l/2K^ 



/ \0(1) / \ (l/2)max{ ei | l<i<£} 

< n °( 1 )n (1/2)log f" 

= n (l/2)log p n+0(l) n 



The result follows. 

Because it is needed for the randomized and quantum variants of our algorithm, we now intro- 
duce the Hall composition-series canonization problem. 

Definition 9.7. Let (G,V,S) be a Hall composition series. A complete polynomial-size invariant 
Inv(5) for S has the following properties: 

(a) If (G,V,S) and (H, Q,S') are Hall composition series then S = S' if and only ?/Inv(<S) = 
Inv(S'). 

(b) |Inv(<S)| = poly(n). 

Definition 9.8. Let (G,V,S) be a Hall composition series and suppose that the order of G has the 
prime factorization n = Yli=i P? ■ We reindex so that pi > pj for i < j and define the canonical 
form Can(cS) to be a tuple (M,ip[P]], . . . , ip[Pe], ip[Pio], ■ ■ .,tp[Pi, mi ], . . .,ip[Peo],. • . ,tp[Pe, me ]) such 
that: 

(a) M is an n x n matrix with entries in [n]. 

(b) M is the multiplication table for a group which is isomorphic to G under ip : G — >■ [n\. 

(c) Can(5) is a complete polynomial- size invariant. 

In the Hall composition- series canonization problem, we are given a Hall composition series 
(G,V,S) and must compute Can(«S). A stronger and more general version of Theorem 1.4 now 
follows from Lemma 9.4, the technique of Theorem 1.2 and Lemma 9.5. As for our reductions to 
composition-series in Section 5, the result also holds when Hall composition-series canonization is 
replaced by the problem of computing a complete polynomial-size invariant. 

Theorem 9.9. Solvable-group isomorphism is Turing reducible to Hall composition- series canon- 
ization. The reduction requires 

(a) n( 1//2 ) log p ri+ ° ( ' 1 ) time for deterministic algorithms 

(b) n( 1//4 ) log p ra+0( ' 1 ) time for randomized algorithms 

(c) n( 1 / 6 ) log p™ +0 ( 1 ) time for quantum algorithms 
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where p is the smallest prime dividing the order of the group. In the case of deterministic algorithms, 
we can Turing reduce solvable-group isomorphism to Hall composition-series isomorphism instead 
of Hall composition-series canonization. 

Proof. Suppose that we have an algorithm for Hall composition-series canonization and let G and 
H be solvable groups. Using Lemma 9.4, we compute Sylow bases V = {Pi | 1 < i < £} and 
Q = {Qi | 1 < i < ^} for G and H in poly(n) time. By Corollary 7.6, V and Q are isomorphic. 

We proceed in a manner similar to Theorem 1.2. We fix a composition series Si for each Pi 
by calling Algorithm 1 on each Pi using arbitrary choices for the socle decompositions. Then we 
compute the composition series S[ for each Qi for all possible choices of socle decompositions. Let 
S = {Si | 1 < i < £} and S' = {S' { | 1 < i < £}; by Lemma 9.5, S is isomorphic to some choice 
of Hall composition series S' if and only if G = H. Correctness follows immediately. The total 
time required to enumerate all choices of Hall composition series is at most n ( - 1 / 2 - >log p n+0 ( 1 - > by 
Lemma 9.6. 

To prove part (a), we simply note that two calls to any algorithm for Hall composition-series 
canonization suffice to decide Hall composition-series isomorphism. Parts (b) and (c) follow from 
the collision detection arguments of the proofs of Theorems 5.6 and 5.7. □ 

10 A Karp reduction from Hall composition-series isomorphism 
to low-degree graph isomorphism 

In this section, we generalize our technology for p-groups and show that Hall composition-series 
isomorphism is polynomial-time Karp reducible to graph isomorphism as claimed in the introduc- 
tion. In the case of p-groups, all of the nodes of our tree T(S) had order bounded by p + O(l); 
this is because every composition factor of a p-group has order p. However, for general solvable 
groups, the tree constructed in the obvious way does not have this property since the primes pi 
which divide n could have widely varying orders. It is therefore necessary to reduce the degree of 
the parts of the tree which correspond to large primes pi. We accomplish this by using Wagner's 
idea of fixing the generators of the large composition factors. Although his trick does not work in 
general, it does work in our case since by construction, the degrees of the nodes in our tree decrease 
as we move away from the root. 

We start by constructing a fixed binary tree that will correspond to the top of our new tree. 
This portion of the new tree will handle all large composition factors with the degree of the tree 
bounded by a constant. First, we require a useful fact which allows us to order the elements of a 
group uniquely given a generating set. The proof is simpleand we defer it to Appendix B. 

Proposition 10.1 (Wagner [39]). Let G be a group which is generated by the elements g = 
(<?i) • • • :9k)- We can define a total order < g on G that depends only on g where the first k + 1 
elements are e -< g g\ < g ■ ■ ■ -< g g/. ■ Given x,y £ G, we can decide if x < g y in polynomial time. 
Moreover, if H is a group which is generated by the elements h = (hi, . . . ,/ifc) and (j) : G —¥ H 
is an isomorphism such that (p(gi) = hi for all i then for every x,y G G, x ^ g y if and only if 

<t>(x) < h 4>{y)- 

We use the following binary tree in the degree reduction step. 

Definition 10.2. Consider a vector x = (xi, . . . ,X)~) of k nodes. We let B([k]) be any binary 
tree of size O(k) with k leaves that are each labeled by a unique element of [k]; we require that the 
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distance from the root to a leaf is the same for all leaves. We define B(x) by replacing the node 
labelled i in B([k]) with x\. 

The reason for first constructing P([fc]) is so that B(x) cannot depend on the values of the 
labels Xi of the nodes x. This ensures that if x = (x\, . . . , Xk) and y = (yi, . . . , y^) then the partial 
function tp : B{x) — > B(y) : Xi i-> y i for all i extends to a unique isomorphism from B{x) to B(y). 
This fact will be used later to ensure that isomorphisms between the graphs constructed for our 
groups G and H correspond to mapping each Xi to y«. 

We now construct our tree which fixes the generators of the large composition factors. We 
remark that since every composition factor is simple and each Pj is a pj-group, we only need one 
generator for each composition factor 3 . We start by reindexing so that pi > pj for i < j. We 
assume that p\ > a since otherwise our previous techniques suffice. Let n be the largest value of 
i such that p% > a. We construct a fixed binary tree T using Proposition 10.1 and Definition 10.2 
which represents the elements of Pi • • • P K . To each leaf of this tree, we attach a copy T(S K +\) 
as described in Definition 3.4. For each i > n, we attach a copy of T(Si + \) to each leaf of the 
current tree and continue this process until i = I. The leaves of the resulting tree then represent 
the elements of G. Moreover, the degree is at most a. Since we shall later take a = logn, we see 
that the factor of n °( lo s n / lo g lo s n ) i n the runtime of our algorithm for solvable groups comes from 
guessing the generators of large composition factors and also Theorem 3.2. The resulting tree is 
shown in Figure 1. This construction is made precise in the following definition. 

Definition 10.3. Let (G,V,S) be a Hall composition series where the order of G has the prime 
factorization n = Y\^ = ip\ % and pi > pj for i < j and let a be a parameter where a > p\. For each 
i such that pi > a, we are given a representative gij+i whose coset gij+\Pij 6 Pjj+i/Pjj generates 
the composition factor Pjj+i/Pjj. Let k be the largest value of i such that pi > a. We denote by 
g(a) = (#n, . . . 

> <?i,mi> • • • >9kIi ■ ■ ■ }9K,m K ) the vector of representatives. We note that the subgroup 
Pi ■ ■ • P K is generated by the elements ofg(a). To construct the tree T(S,g(a)), we start by ordering 
the elements of P\ ■ ■ ■ P K according to ^ g ( a y Let u be the vector which corresponds to this ordering. 
We construct a copy T of the tree B{u) and denote the leaf which corresponds to x = x± ■ ■ ■ x K 
where each Xj G Pj by (x k ) Xi> ... jXk _ 1 ; we color the leaf (x k ) X1j ,__ jXk _ 1 by the color k where x is the k th 
element of the vector u. The root is denoted P\. For x = x\ ■ ■ ■ x K where each Xj £ Pj, we create a 
copy T Xl Xk ofT{S K j r \) according to Definition 3.4 and identify its root with the node (x K ) Xl Xk _ 1 . 
For i > k where each Xj £ Pj, we create a copy T Xl) ... )Xj of the tree T(Si+i) and identify its root with 
the node for Xi in the tree T Xl ^ ^ Xi l . The result is the tree T(S,g (a)). For each i > k and x^ 6 Pk, 
we denote the node for XiPij in the tree T Xlj „. jXi _ 1 by (xjPjj) Xlj ... jXi _ 1 . For a leaf (x^) Xl) ... iX ^_ 1 
in T X1 Xt _ 1} we use the shorthand x\---xg. For subtle technical reasons, we color each node 
(xjPy) Xli ... Xi _ 1 "not identity" where each x& G Pj, and \{xk / e | 1 < k < i — 1}| + [x« Pij] = 1. 

Intuitively, if we write x = x\ ■ ■ ■ Xi where each x^ 6 P&, the nodes (xjPjj) Xl Xj _j which are 
colored "not identity" are those which are off the path from Pi to e by following exactly one 
arbitrary path through a copy of some T(S'j') and only passing through nodes of the form P^j 
in trees T Xlv .. jXfc _ 1 for all k / i! . The nodes colored "not identity" are used to show that the 
isomorphism between G and H which corresponds to an isomorphism of between the graphs is also 
an isomorphism from S to S' . 

3 This is because the only simple p-group is Z p . 
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T(S,g{a)) 




Figure 1: The tree T(S,g(a)) where each Xi,yi,Zi G Pi 



We shall call (G, V, S, g(a), n, a) a Hall composition series with fixed generators where G, V, 
S, g(a), k and a are as in Definition 10.3; when we speak of a Hall composition series with fixed 
generators, we shall always assume that some prime dividing n is at least a. 

We now run into the same problem as in the case of p-groups; namely, if we were to simply 
attach multiplication gadgets to each leaf of T(S,g(a)), the degrees of the leaves would become 
large. We remedy this in the same way as before by attaching a copy of T(S,g(a)) to each leaf of 
T(S,g(a)). We show the resulting graph in Figure 2 and define it as follows. 

Definition 10.4. Let (G,V,S,g(a),n,a) be a Hall composition series with fixed generators. To 
construct X(S,g(a)), we start with a copy T$ of T(S,g(a)). For each x G G, we create an 
additional copy T<?^ ofT(S, g{a)). We then combine these graphs by identifying the root of each T<?^ 
with the leaf x ofT$. A node in X(S,g{a)) is denoted by {yiPij) y x ^ t ..., yi _ 1 where i > k, x G G and 

each yfc G Pk- The superscript (x) determines the tree T^ which contains the node. The subscript 

(x) 

yi, ■ ■ ■ ,yi-i indicates that the node belongs to the tree T yit ,,^ yi _ 1 within the tree Tg . Finally, yiPij 
indicates that our node is the node for y%P%j in the tree T , J/lv .. )2/i _ 1 which is itself contained in the 

tree T^ x \ In particular, the leaf for y^ G Pg in the tree T yii ^^ ye _ 1 which is contained in T^ is 
denoted {ye)y°i,-,ye-i ■ We will sometimes use the shorthand (yi • • • ye)^ to refer to {ye)ui,---,ye-i ■ 
The node is the leaf of the tree B{u) within the tree T^ x \ For nodes in the tree T$, 

we simply omit the superscript (x) and write (yiPij) yi ,..., yi _ 1 for the node y%Pij in the tree T yit __^ yi _ 1 

(x) (x) 

which is contained in the tree T$. For each x,y G G, we connect three new leaves yX- , yW and 
y=^ to the leaf y^ and add them to X(S,g(a)). For all x,y,z G G such that xy = z, we draw an 
edge from y^) to x$ and from x$ to y=^ and color y^) "left", x^) "right" and y=^ "equal". We 
color the root node ofT$ "root"; all other nodes that have not yet been assigned a color are colored 
"internal". 

We say that an isomorphism <p : G — >■ H respects g(a) and h(a) if <j)(gij) = h{j for all i and 
j. Let us denote by lso g ^ a ^ h ^(S , S') the set of all isomorphisms 4> from S to S' which respect 
g(a) and h(a). We say that (S,g(a)) and (S',h(a)) are isomorphic if there is some isomorphism 
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X(S, g(a)) 




Figure 2: The cone graph X(S,g(a)) where x,y,z G G 

in Iso s ( Q ),_^( Q ) (<S, 5') in which case we write (S, g{ct)) = (S f , h(a)). We now show a bijection from 
Iso g{a) ^ h{a) (S,S') to Iso(X(5,gr(a)),X(5',^(a))). 

Theorem 10.5. Let (G ,V , S , g(a) , k, a) and (H, Q,S' , h(a), k, a) be Hall composition series with 
fixed generators such that the partial function ip : Pi ■ ■ ■ P K — > Q± ■ ■ ■ Q K : gij \-> hij for all i and j 
extends to an isomorphism ip : P± ■ ■ ■ P K — >■ Q\ ■ ■ ■ Q K where tp[Pij] = Qij for i < k and all j . Then 
there is a bijection between Iso g ( a ^h( a }(S,S') and Iso(X (S , g (a)), X(S' , h(a))). 

We give a sketch and defer the proof to Appendix B. The proof is similar to that of Theorem 3.6 
but the details are more complicated due to the presence of Sylow bases and fixed generators. 
Consider an isomorphism (j) G IsOg/Q,^^^)^,^). We define <p to be the map from X(S,g(a)) 
to X(S',h(a)) that maps the root G of X(S,g(a)) to the root H of X{S\ h(a)), each node 
x 6 G to (j){x) and each y( x ) to (4>(y))^ x ^; similarly, we define <j)(y^) = for each 

x,y G G and A G {•<—,—>,=}. As before, we extend the definition of <p to the intermediate coset 
nodes in a manner that is consistent with the assignments already made; there is no ambiguity as 
there is exactly one extension which results in an isomorphism. Although there are many details, 
it is relatively straightforward to show that (f> G lso(X (S,g (a)), X (S' ,h(a))). This shows that 
/ : Iso g ( a ),_^( a ) (S, S') — > lso(X(S,g(a)),X(S',h(a))) : 4> ^ 4> is a well-defined function. 

As before, the more difficult step is showing that / is a bijection. The same argument as in the 
proof sketch for Theorem 3.6 implies that / is injective. As before, we let 9 G Iso(X(5, g(a)),X(S', h(a))) 
and define the bijection <j) = @\ G '■ G — > H. Because of the colorings used for the binary trees in 
X(S , g{a)) and X(S\ h(a)), it follows that 4> respects the generators g{a) and h(a) and that each 
4>[Pij] = Qij for i < k. For i > k, we note that the unique shortest path from the root Pi of 
X(S,g(a)) to e passes through each node {Pij) X i,...,xi--i where each xu = e. The elements x G Pij 
in X(S,g(a)) are the nodes in G that can be reached from the node (Pij) Xl ,...,x i - 1 where each 
Xfc = e by following certain paths through nodes which are colored "internal" and "not identity." 
The "not identity" color in these paths is used to ensure that the node x = x\ ■ ■ ■ X£ at the end of 
the path where each Xi G Pi satisfies Xi = e except for i = k. By considering these paths, it follows 
that = Qij for each i > k which implies that (ft G FsOg^^^GS, <S')- 

Corollary 10.6. Let (G,V,S,g(a),K,a) and (H, Q,S' , h(a), n,a) be Hall composition series with 
fixed generators such that setting ijj(gij) = h^ for i < k and all j defines an isomorphism ip : 
Pi • • • Pk — * Qi • • • Qk where ip[Pij] = Qij for all i < k and j. Then (5, g(a)) = (S', h(a)) if and 
only if X(S,g(a))^X(S',h(a)). 

Lemma 10.7. Let (G,V,S,g(a),K,a) be a Hall composition series with fixed generators. Then 
the graph X(S,g(a)) has degree at most max{a,4} and size 0{n 2 ). 
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Proof. The tree T(S,g(a)) has size 0(n) and X(S,g(a)) contains n + 1 copies of this tree. Con- 
necting three additional nodes yf^ to each leaf y^ in each T<?^ only increases the number of nodes 
by a constant factor. Thus, X(S,g(a)) has (9(n 2 ) nodes. Let x,y £ G. The degree of the leaf node 
is 4 since it is connected to its three children where A 6 {■<—,—>■,=} and its parent. By 
construction, the degree of any internal node is at most a. □ 

Theorem 10.8. Let (G,V,S,g(a), n,a) and (H, Q,S' , h(a), k, a) be Hall composition series with 
fixed generators. Then we can test if (S,g(a)) = (S',h(a)) in time n°( a / loga \ 

Proof. We start by checking if the mapping from g(a) to h(a) extends to an isomorphism from 
ip : Pi ■ ■ ■ P K — >■ Qi ■ ■ ■ Q K . If this is the case then this isomorphism ijj is unique and we check if 
i/)[Pij] = Qij for alH < k and j. If both of these conditions hold, then we continue; otherwise, we 
return that (S,g(a)) ^ (S',h(a)). 

We can compute the graphs X(S,g(a)) and X(S', h(a)) in polynomial time. By Corollary 10.6, 
(S,g(a)) = (S',h(a)) if and only if X(S,g(a)) = X(S',h(a)) so this reduction is correct. By 
Lemma 10.7, the number of nodes in X(S,g{a)) is 0(n 2 ) and the degree is at most maxja, 4} = 
0(a). To apply the constant degree graph isomorphism algorithm, we first remove the color for 
each node colored by the number k by attaching a path graph of length k. For the nodes colored 
"not identity", "left", "right", "equal" and "root", we remove the color and attach a copy of K3, 
K4, K§, Kq or Kj respectively where Ki is the complete graph on i vertices. We simply discard 
the "internal" color. This increases the number of nodes by a factor 4 of at most O(n) and increases 
the maximum degree to at most a + 1. Then we can test if X(S,g(a)) = X(S', h(a)) in n °( a / lo s a ) 
time using Theorem 3.2. □ 

As for p-groups, we modify Theorem 10.8 for Hall composition-series canonization. 

Theorem 10.9. Let (G,V,S) be a Hall composition series. Then we can compute the canonical 
form Can(cS) of (G,V,S) in n O(i°g"/i°gi°g™) time. 

We give a sketch and defer the complete proof to Appendix A. Although the full proof is 
complicated, our strategy is a straightforward extension of the proof of Theorem 3.12. We set 
a = logn/loglogn and reindex so that pi > pj for i < j. Although the graph X(S , g(a)) in 
Definition 10.4 is only defined when p\ > a, there is a trick which allows us to reduce the case 
where p\ < a to the case where p\ > a; therefore, we shall assume that p\ > a. As usual, 
we let k be the largest value of i such that pi is at least a; we consider all possible choices of 
ordered generating sets g(a) for the subgroup P±- ■ ■ P K which correspond to representatives of the 
factor groups of each Si for i < n. For each choice g(a), we compute Can(A(5, g{a))) and define 
Inv(5) to be the graph C&n(X (S , g(a))) which comes first lexicographically. It is easy to show that 
Inv(5) is a complete polynomial-size invariant for S. A multiplication table for a group with the 
underlying set [n] which is isomorphic to G can then be computed using arguments similar to those 
from Theorem 3.12. We then compute the subset of [n] which corresponds to each Pi and each Pij 
by following certain paths in Can(A(5, g{a))) which start at nodes of the form {Pij) Xl ,...,x i ^ 1 with 

4 Although overhead of a factor of 0(n) is sufficient for our purposes, it is possible to reduce this to a constant 
factor. To achieve this, we replace the colors "not identity" , "left" , "right" , "equal" and "root" with complete graphs 
as before but implement the colorings by each number k more efficiently. This is done by drawing an edge from each 
node colored by the number k to the unique node colored k + 1 at the same level in the same subtree. We then 
distinguish the nodes colored 1 from the other nodes by attaching a single node to each of them. 
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each Xfc = e where the nodes are colored "internal" at first and then "not identity." Because the 
computations described are deterministic and depend only on Inv(<S), the composition length of 
each Pi and n, we obtain a canonical form for (G,V,S). 

11 Algorithms for solvable- group isomorphism 

In this section, we derive our algorithms for solvable-group isomorphism. A generalization of 
Theorem 1.1 now follows from the results of Sections 9 and 10. 

Theorem 11.1. Let G and H be solvable groups. Then we can test if G = H in 

(a) n (i/2)log p n+0(logn/loglo g n) time f or deterministic algorithms 

(b) n (V4)log p r i +0(logn/loglogn) time for randomized algorithms 

(c) n (i/6)log p r i +0(logn/loglo g n) time f or quantum algorithms 

where p is the smallest prime dividing the order of the group. 

Proof. Prom part (a) of Theorem 9.9, there are at most n( 1 / 2 ) 1 °Sp n +°( 1 ) calls to the algorithm for 
Hall composition series canonization where p is the smallest prime dividing the order of the group. 
Each such call requires n °( lo s n / lo g lo s n ) time by part (a) of Theorem 10.9 for an overall runtime of 

n (l/2)log p n+0(logn/loglogn)_ p artg ^ and ^ fo]]ow from partg ^ and ^ q{ TheQrem 9.9. Q 

As we show in Appendix D, the deterministic variant of our algorithm can be adapted to perform 
solvable- group canonization. It is also easy to show that the analysis of Theorem 11.1 is tight. 

Theorem 11.2. If n is sufficiently large, there exists an Abelian group of order n for which part 
(a) of Theorem 11.1 requires at least n (V2)log p n+n(logn/ log logn) Ume 

Proof. Consider the Abelian p- group Z^ of order 0(n/ logn) and the cyclic group Z g of prime order 
(1/2) log n/ log log n < q < logn/ log logn. Provided n is large enough, it follows from Bertrand's 
Postulate that we can always construct such groups. We choose G = H = x Z q x Z^ where 
d = n/p k q. Working through the analysis of Theorem 11.1, we find that our algorithm takes 

n (l/2)log p n+fi(logn/ log logn) £j me _ □ 
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A j9-Group isomorphism proofs 



We now supply the proofs for our p-group isomorphism algorithm which were omitted from the 
main body of the paper. 

A.l The correctness proofs for p-group isomorphism 

We prove a version of Theorem 3.6 with an explicit bijection. 

Theorem A.l. Let S and S' be composition series for the groups G and H which consist of the 
subgroups Go = {e} <■ ■ ■ < G rn = G and Hq = {e} < • • • H rn = H. Define f : <fi \-¥ <f> where the map 
4> : X(S) -»• X(S') acts as follows for (f> G Iso(5, S'): 

(a) For the root, (j){G) = H. 

(b) For each node xGi G G/Gi in T$, 4>(xGi) = 4>[xGi\ = 4>(x)Hi. 

(c) For each node (yd)^ in T ( s x) , (f>((yGi)W) = {4>[yGi})^ x » = (4>{y) Hi)^ x » . 

(d) For each node y( x ) in with x,y G G, 4>{y^) = <f)(y)^ x ^ . 

(e) For each leaf node in where x,y G G and A G {■<— , — >, =}, (f>(y^) = <f>(y)^ x ^ ■ 
Then f : Iso(S, S') — > lso(X(S), X(S')) : <f> — > <fi is a well-defined bijection. 

Proof. We note that (a) and (d) are special cases of (b) and (c). It therefore suffices to consider 
the other three lines. 

Let (j) G Iso(»S, S') and observe that <f>[Gi] = Hi for all i so the equalities in the definition of <j> 
hold. Also, (b) and (c) both apply to the root node of since x G G is identified with (G)( x \ 
By (b) we have 4>(x) = <f>(x) while by (c), <K(G) (x) ) = (H)M X ». Since <p(x) was identified with 
there is no ambiguity. Thus, <p is well-defined. 

By definition (f> maps the root node of X(S) to the root node of X(S') and the nodes in the k th 
level of X(S) to the k th level of X(S'). Then it follows from our definition that <p respects the colors 
on all nodes. We start by proving that <p is a injection. It suffices to consider nodes in the same level. 
Let xGi,yGi G G/Gi be nodes in T5 and suppose that 4>{xGi) = 4>(yGi). Then <j>{x)Hi = 4>(y)Hi 
so <j)(x~ 1 y) G Hi and x~ l y G (/> -1 [f/j] = Gj. Therefore, xGi = yGi. Consider nodes (yGi)^ in 

and (zGi)^ in T^ w) and suppose 4>((yGi)^) = 4>{(zGi)^). Then (<j>(y)Hi)M x » = 

This implies that (f)(x) = <j>(w) so that x = w. Hence 4>(y)Hi = <p(z)Hi and yGi = zGi so that 

(yGi)^ = (zGi)( w \ Then it follows from the definition of <p that it acts as an injection on the leaf 

nodes {yf^ • Thus, 4> is an injection so since X(S) and X(S') have the same cardinality it is a 

bijection. 

Our next step is to show that <f> respects the tree edges. Consider an edge between the nodes 
yGi G G/Gi and xG i+1 G G/G i+1 in Tjg. Then yd C xG i+ i so (f>(yGi) = 4>[yGi] C 4>[xGi +1 ] = 
(j){xGi + i). Since (p(yGi) = 4>(y)Hi and 4>{xGi+i) = 4>(x)Hi + i, there is a tree edge between 4>(yGi) 
and 4>{xGi + i) in X(S'). For a tree edge between the nodes (zGi)^ and (yGj+i)( x ) in Tg X \ we again 
have zGi C yGi + \ and so the same analysis shows that there is a tree edge between (f>((zGi)( x ^) 

and 4>((yGi+i)W) in X(S'). Finally, by definition preserves the edges from each node y^ to the 

1 O) 
leaves y\ . 

(x) 

We now consider the cross edges. Suppose that xy = z; we will show that the edges from y<_ 

(v) (v) (z) 

to x K A and from x K A to y= are preserved by <p. By definition, we have 
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kvP) = mt {x)) 

= <K*/)L* W) 

Since : G — > H is an isomorphism, (f>(x)(f)(y) = <fi(z) so there are cross edges from (f>(y)^ x ^ to 
cj)(x)^ y ^ and from 0(x)^^ to (^(y)^ 2 ^ in X(S'). Since X(S) and X(S') have the same number 
of edges, it follows that there is an edge between two nodes in X(S) if and only if there is an 
edge between their images under in X(S'). Thus, <j> is an isomorphism so we have shown that 
/ : h+ is a map / : Iso(S, 5') -»• Iso(X(5), X(5')). 

It remains to show that / is bijective. Suppose that 0i,02 G 1so(S,S') and 0i = 02- Then in 
particular we have <f>i(x) = 4>2{x) for x G G so 0i(x) = 02 0*0 and 0i = 02- Therefore, / is injective. 
Our final task is to show that it is surjective. Let 9 G Iso(X(S l ), X(S')). Because the roots G and 

of X(S) and X(S') are the only nodes colored "root", we have 9[G\ = H and 9 maps the fc th 
level of X{S) to the k th level of X(S"). Then the map 4> : G ^ H : x ^ 9{x) where x G G is a 
node in is a well-defined bijection. 

We now claim that for any node y^ in Tg X \ 9(y (x) ) = (f){y) Wx)) . We know that T (x) is rooted 
at the node x of T$ and 0(cc) = 0(x) by definition of 0. It follows that the node 9(y^) is in Tgt^; 
similarly 9{x^) is in T ( s t (y)) . Hence, we can write 9(y^) = <£(&)(*(*)) and 9{x^) = </>(a)Mv» for 
some a, b G G. We know that in X(S'), the unique shortest path from 0(x) to 0(y) that passes 
through a node colored "left" and later a node colored "right" follows the tree Tgt^ x ^ to (f>{y)^ x ^\ 
then the path {</>{y) Wx) \ d>{y) { £ {x) \ 4>(x) { 4 (y)) , (f>(x)M y ») and then the tree T^ (y)) to <f>(y). On 

the other hand, we know that the path (<f>(b)M x », 0(&)^ {x)) , 0( a )^ (?/)) , 0(a)W^) exists in 
by definition of a and 6. Then a shortest path that passes through a node colored "left" and 
later a node colored "right" from 0(x) to 0(y) follows the tree Tgf^ to (f>(b)^ x ^, then the path 
(0(6)^^),0(6)^ (:r)) ,0(a)^ (j/)) ,0(a)^))) and then the tree T ( s t (y)) to 0(y). From uniqueness, it 

follows that 4>{x) = 0(a) and <p(y) = 4>(b) so x = a and y = b. Thus, for any node y^ in Tg X \ 
%(*)) = (f){y)^\ 

Now, we show that is an isomorphism. We have already shown that it is bijective. Let x,y G G 
and set z = xy. Then maps the path (yt\x {y ) ,y { i ] ) in X(S) to the path (0(y)^ (a;)) , (f>(x) { i {y) \ 0(y)L 0W) ) 
in X(S'). Since preserves colors, the colors of the nodes in this path are ("left", "right", "equal"). 
We conclude that 0(x)0(y) = <f>(z). By definition of z, it follows that is an isomorphism from 
G to H. We claim that 0[Gj] = Hi. Consider the node Gj G G/Gf, the nodes x G G, are the 
leaves of the tree T5 in X(S) which are descendants of Gj. Similarly, for the node Hi G G/Hf, the 
nodes y £ Hi are the leaves of the tree T#/ in X(S') which are descendants of Hi. Because is an 
isomorphism, 0(e) = e so that 9(e) = e. It follows that 9 maps the unique shortest path from G 
to e in X(S) to the unique shortest path from H to e in X(S'). This implies that 9[Gj\ = Hi so 
that 9\ G is a bijection from Gj to Therefore, 0[Gj] = Hi so is an isomorphism from 5 to S'. 

Then 6> = 0. Hence, we have proven that / is a bijection. □ 

Theorem 3.12. Let S be a composition series for a group G such that a is an upper bound for the 
order of any factor. Then we can compute a canonical form Can(5) for S in time. 
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Proof. We start by showing how to obtain a complete polynomial-size invariant Inv(S') for S and 
then use it to get a canonical form. The canonical form C&n(X(S)) of X(S) can be computed in 
n O(a) tj me by Theorem 3.3. We then let Inv(S) = C&n(X(S)). Let S' be a composition series 
for a group H. Then S = S' if and only if Inv(S') = Inv(S") since we have S = S' if and only if 
X(S) = X(S') by Corollary 3.7. Thus, Inv(S') is a complete polynomial-size invariant for S. 

We now construct a canonical form Can(S') for S. There exists an isomorphism 6 : X(S) — > 
C&n(X(S)). We start by computing Inv(S') = C&n(X(S)) and then locate the root node 6(G) of 
C&n(X(S)); this is easy since the root is the only node colored "root." We then note that the 
composition length m of G is equal to the distance from the root of X(S) to the nodes x G G; this 
allows us to find the nodes 6(x) in C&n(X(S)) where x £ G using breadth-first search. For each 
such x G G, we then define Xq(6(x)) to be the index of 6(x) in the sequence of nodes 6(x) where 
x G G obtained in the breadth-first search. Thus, Ac* : 6[G] — > [n] is a bijection. 

Let x,y G G; we will now show how to compute 6(xy) from Can(X(5)) given 6(x) and 6(y). 
Note that in X(S), there is a unique shortest path from x to y that passes through a node colored 
"left" and later a node colored "right"; namely, this is the path which follows the tree Tg from 

x to y( x \ then the path (y^ x \ y+^ , x^ , x^ ) and then the tree to y. Thus, given nodes 6(x) 
and 6(y) in Can(X(S')), we can find the nodes 6(y^) and 6(x^ y >) in Can(X(5)). Once this has 
been done for all x,y £ G, the multiplication table defined by the rule 6(x)6(y) = 6(xy) can be 
determined by inspecting the multiplication gadgets in Can(X(S')). 

Using the multiplication table just computed, we can find the node 6(e) in C&n(X(S)) which 
corresponds to the identity. The unique shortest path from the root G of X(S) to e is (G m = 

G, . . . , Go = {e}). Thus, we can find the node 6(Gi) in C&n(X(S)) which corresponds to each G\. 
Moreover, for each i, the elements x G Gi in X(S) are precisely the nodes y G G which can be 
reached from the node Gi by moving away from the root. Then for each i, we can find the nodes 
6(x) in C&n(X(S)) where x G Gi by breadth-first search on C&n(X(S)). 

Define (j> = 6\ G and ipc = ^g4>- Let M(G) be the n x n matrix with elements in [n] defined 
by (M(G)) i> 

g(x),iI> g (v) ~ ^c(xy) for all x,y G G. We compute ipG[Gi\ for each i and define the 
canonical form of the composition series as Can(5) = (M(G),ipc[Go], ■ ■ ■ ,ipG[G m ])- 

We claim that Can(5) is a canonical form for S. Let S' be a composition series for a group 

H. By construction, : G — > [n] is an isomorphism from G to the group described by the 
multiplication table M(G). If Can(S') = Can(S") then ipj^ipc is an isomorphism from 5 to S' so 
S = S'. Suppose that S = S'; then Inv(S') = Inv(S"). Since we computed Can(5) deterministically 
and this computation depends only on Inv(S), n and the composition length of G, it follows that 
Can(S) = Can(S'). □ 

Lemma 5.1. Algorithm 1 returns a composition series for G; moreover, every subgroup in the 
series which is a socle or a preimage of a socle is labelled "socle. " 

Proof. First, if G is simple then {e} <G is a composition series for G; also, soc(G) = G in this case 
and so G is properly labelled as "socle." Otherwise, suppose soc(G) = G. Algorithm 2 is correct 
by definition so line 12 sets T to the set of all simple minimal normal subgroups of soc(G). 

We know that G can be written as a direct product Y\ i Si where each Si is a simple subgroup 
of G. Because each Si is part of this direct product, it is also normal in G. Moreover each Si is 
a minimal normal subgroup since if N < Si and iV < G then iV G {{e},^} since Si is simple. 
Therefore, soc(G) is a direct product of the simple minimal normal subgroups of soc(G). 
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The while loop on line 14 builds up a composition series of direct products of simple minimal 
normal subgroups in T for soc(G). Line 15 chooses a simple minimal normal subgroup L of soc(G) 
that can be added to the direct product. Lines 18 - 23 remove redundant subgroups from T that 
form the same direct product with K leaving only one subgroup that forms each product. Since 
this does not change the set of direct products that can be formed, this part of the algorithm 
affects only efficiency but not correctness 5 . We claim that there is always a choice of L on line 15 
such that K n L = {e}. Let us write K as the direct product \\ i L; L where each Lj is a simple 
minimal normal subgroup of soc(G) chosen from T during a previous iteration of the loop. From 
the loop condition, K <isoc(G). We know that soc(G) is characteristically simple so K is not a 
characteristic subgroup of soc(G). Then there exists <ft £ Aut(soc(G)) such that <f>[K] ^ K so for 
some i, 4>[L,j\ % K. Since Li is a minimal normal subgroup of soc(G) so is <j>\Lj\ and it follows that 
K n (j)[Li\ = {e}. Thus, there is a simple minimal normal subgroup of soc(G) which intersects K 
trivially. Since lines 18 - 23 do not affect which direct products can be formed using subgroups in 
T with K, either <p[Li\ 6 T or there is some other simple minimal normal subgroup of soc(G) in T 
that forms the same product with K. Thus, a valid choice of L always exists on line 15. 

We have shown that the part of S from {e} to soc(G) is indeed a composition series. This 
suffices to prove the base case where soc(G) = G. 

We note that Kq < ■ ■ -<K m is a composition series for G/soc(G) by induction. We have already 
argued that the part of S from {e} to soc(G) is a composition series. The factors of the portion 
of S from soc(G) to G are simple since the subgroups in that part of the series are the preimages 
of the composition series Kq < ■ ■ ■ < K m for G/soc(G). It follows that S is a composition series. 
Moreover, all socles and their preimages are labelled "socle" since each socle is labelled "socle" 
when it is initially added to the series and labels are preserved when taking preimages. □ 

A. 2 Obtaining the n^ 1 ^ 2 ^ 1 ^ 1 ^ ^ runtime for p-group isomorphism 
Lemma A. 2. If < e < x,y then x 2 + y 2 < (x + y - e) 2 + e 2 . 

Proof. We see that x 2 + y 2 < (x + y — e) 2 + e 2 holds if and only if < xy — e(x + y) + e 2 . Define 
/(e) = xy - e ( x + y) + e 2. Then /'(e) = 2e- (x + y) < for < e < x, y. AWLOG that x < y. Then 
the minimal value of / occurs at e = x in which case /(e) = 0. It follows that < xy — e(x + y)+e 2 
for all < e < x, y. □ 

Lemma 5.4. The maximum value of \\x\\*> subject to the constraints that x G R d , each Xi > 1 and 
Eli x i = * where t>dis(d-l) + (t-(d- l)) 2 . 

Proof. Choose some xel d that satisfies the constraints. Then by Lemma A. 2 



II 1 1 2 2 I _j_ 2 

Il x ll2 — X l "r ' ' ' + X d 

< 1 + x\ H h x d _i + (x d + xi- l) 2 

d-l 

^(d-lHO^ + ^Or.-l)) 2 

i=l 

= (d- l) + (t- {d- l)) 2 

5 These lines only matter when we consider all possible choices on line 15. 
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Moreover, we note that (d — 1) + (t — (d — l)) 2 is achieved by x* where x* = 1 for i < d and 
x* d = t-(d-l). □ 

Lemma 6.2. // c\ and C2 are positive constants then c\ log p n + C2P < c\ logn + O(l) /or 2 < p < 
c\ lnra/c2 In 2 p. 

Proof. Define 



f(p) = ci \og p n + c 2 p 
= c\ In nj lnp + C2P 

We fix n and choose 2 < p < c\lnn/c2 In 2 p such that /(p) is maximal. We have 



cilnn 

/ (?) = + c 2 

pin p 

Then /'(p) < if and only if 



ci Inn 
c 2 < -r-2- 



P < 



pin p 
ci Inn 



c 2 In 2 p 

It follows that f(p) < f(2) for 2 < p < ci lnn/c2 ln 2 p from which our result is immediate. □ 
Lemma 6.3. If c is a positive constant then log p n = 0(logn/ log logn) for p > c Inn/ In 2 p. 

Proof. First suppose that clnn/ln 2 p < p < e'^ n . Then lnlnp < (l/3)lnlnn so 

Inn 

log n = 

y lnp 

Inn 

< 



ln(clnn/ In 2 p) 
Inn 

In c + In In n — 2 In lnp 
= 0(lnn/ In Inn) 
= 0(log nj log log n) 

For the case where p > e'^ n we have log p n < (Inn) 2 / 3 = o(logn/ log logn). □ 
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B Solvable-group isomorphism proofs 
B.l Computing a Sylow basis in polynomial time 

We now prove that a Sylow basis of a solvable group can be computed in polynomial time. First, 
it is necessary to introduce a few more definitions and results. 

Definition B.l. Let ir be a set of primes. A group G is a n-group if for every g G G, the prime 
divisors of the order of g are contained in it. 

Definition B.2. Let G be a group whose order has the prime factorization n = Y\.i=iP C i an ^ ^ 7r 
be a subset of {pi | 1 < i < £}. A Hall tt -subgroup of G is a it -subgroup of order n pi eirPi* • 

For convenience, we denote by p-i the set of all primes except for pi which divide the order of 

G. 

Definition B.3. Let G be a group whose order has the prime factorization n = Yli=iP?- A 

Sylow system of G is a collection of subgroups Q = {Qi | 1 < i < £} such that each Qi is a Hall 
P-i-subgroup ofG. 

Hall showed that a group is solvable if and only if it has a Sylow system. 

Theorem B.4 (Hall [17], cf. [32]). A group G is solvable if and only if it has a Sylow system. 

Hall subgroups need not exist in a general group. However, the above shows that Hall p-i- 
subgroups always exist in a solvable group. In fact it holds more generally that for any set of 
primes tt which divide the order of a solvable group, there exists a Hall 7r-subgroup. 

Theorem B.5 (Hall [17], cf. [32]). Let G be a solvable group whose order has the prime factorization 
n = Yli=iPi' an d tt be a subset of {pi | 1 < i < £}. Then every tt -subgroup of G is contained in 
a Hall iT-subgroup of G. 

We remark that since {e} is a 7r-subgroup, in particular this implies that Hall 7r-subgroups exist 
in a solvable group. 

Lemma B.6. Let G be a solvable group whose order has the prime factorization n = Yl i=1 p^' and 
let tt be a subset of {pi | 1 < i < £}. Then we can compute a Hall tt -subgroup of G in polynomial 
time. 

Proof. Suppose that H is a 7r-subgroup of G which is not a Hall 7r-subgroup of G. By Theorem B.5, 
H is properly contained in some Hall 7r-subgroup K of G. For every g G G \ H, we can check if 
(H,g) is a 7r-subgroup of G in polynomial time. For g G K \ H, (H,g) is a subgroup of the 
Hall 7r-group K so (H,g) is a 7r-subgroup of G. Thus, we can find some g G G\ H such that 
L = (H, g) is a 7r-subgroup of G in polynomial time. Since H < L, we have found a 7r-subgroup of 
G which properly contains H. Since {e} is a 7r-subgroup of G, it follows that we can compute a 
Hall 7r-subgroup of G in polynomial time. □ 

This lemma was previously proven by Kantor and Taylor [19] in the setting of permutation 
groups. It is immediate that we can compute a Sylow system of a solvable group in polynomial 
time. 
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Corollary B.7. Let G be a solvable group. Then we can compute a Sylow system ofG in polynomial 
time. 

The desired result now follows from a result which shows a close relation between Sylow bases 
and Sylow systems. 

Proposition B.8 (cf. [32]). Let G be a group whose order has the prime factorization n = Y\i=iP? 
and consider a Sylow system Q = {Qi | 1 < i < £} of G. Then the map defined by Q i— >■ V where 
V = {Pi | 1 < i < £} and Pi = Dj^i Qi ^ s a bisection from the Sylow systems of G to the Sylow 
bases of G. 

Lemma 9.4. Let G be a solvable group whose order has the prime factorization n = Yli=iP?- 
Then we can compute a Sylow basis of G in polynomial time. 

Proof. Observe that the map from Proposition B.8 can be evaluated in polynomial time given a 
Sylow system. The result is then immediate from Corollary B.7. □ 

B.2 The correctness proof for solvable-group isomorphism 

Proposition 10.1 (Wagner [39]). Let G be a group which is generated by the elements g = 
(<7i, . . . , <7fc). We can define a total order ^ g on G that depends only on g where the first k + 1 
elements are e -< g g\ -< g ■ ■ ■ -< g gk- Given x,y £ G, we can decide if x < g y in polynomial time. 
Moreover, if H is a group which is generated by the elements h = (hi, . . . ,hk) and (ft : G — > H 
is an isomorphism such that (ft(gi) = hi for all i then for every x,y £ G, x ^ g y if and only if 
(ft{x) < h 4>{y)- 

Proof. We consider the Cayley graph X = C&y(G,K) for the group G with generators in K = 
{</i, . . . , gk}- We define the order ^ g as follows. Let W g = K* . For each x G G, we say that 
w = (x±, . . . , Xj) G W g represents x if x = x\ ■ ■ ■ Xj where the empty product corresponds to the 
identity e. For x, y € W g , we say that x < 9 y if 

(a) \x\ < \y\ or 

(b) \x\ = \y\ and x is lexicographically at most y with respect to the ordering g\ < 9 ■ ■ ■ < 9 gk- 

Among the set of all words which represent x, there is some word of minimal length j g (x). We 
can calculate j g (x) in polynomial time using a simple breadth-first search starting from e in X. 
Among the words of length j g (x) which represent x, there is some word w x which is lexicographically 
less than every other word of length j g (x) which represents x. We show that w x can be found in 
polynomial time. To do this, we check for each gi if there is a path from e to x of length j g (x) 
where the first edge is labelled gi using breadth-first search; this is the case if and only if there is 
a word of length j g (x) which represents x and starts with gi. We choose the smallest such i for 
which this is the case. Then w x starts with gf, we can continue this process recursively from the 
node gi to compute the rest of the elements of w x - 

We can now define the order < g ] for any x,y £ G, we compute w x and w y in polynomial time. 
We define x < g y if and only if w x < 9 w y where < 9 is as defined above. By definition, this order 
can be computed in polynomial time. 

Finally, consider a group H which is generated by the elements h = (h±, . . . , /i&) and an iso- 
morphism (ft : G — >■ H such that (ft(gi) = hi for all i and j. Let x,y G G. We first show that j g (x) = 
3h{4>( x ))- If w = (^lj • • • i x j) ^ represents x, then it follows that w' = ((ft(xi), . . . , (ft(xj)) £ Wh 
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represents (ft(x). Thus, j g (x) > jhi'Pix))'-, similarly, if w' = (y±, . . . , yj) G Wh represents (ft(x), then 
w = (0 _1 (yi), . . . , (p^iyj)) G W g represents x so jh{4>{x)) > 3g{x). Hence, j g (x) = j h {(ft(x)). 

Consider the lexicographically minimal word w x = {x\, . . . , Xj) G W g of length j = j g (x) which 
represents x. We claim that wm x \ = w' where w' = ((ft(xi), . . . , (ft(xj)). First, we note that w' 
represents (ft(x) so it follows that wm x \ ^ h w' . Suppose wm x \ < h w' and let wm x \ = (yi, . . . , yj); 
we see that . . . , <^ _1 (y fc )) < 9 w x = (xi,...,x k ). Since (</> _1 (yi), . . . , ^{Vk)) represents 

x, this contradicts the minimality of w x ; we conclude that w^ x ^ = w' . It follows that x ^ g y if and 
only if (j)(x) < h <f)(y). □ 

We prove a version of Theorem 10.5 with an explicit bijection. 

Theorem B.9. Let (G,V,S,g(a), K,a) and (H,Q,S',h(a),K,a) be Hall composition series with 
fixed generators such that the partial function ift : Pi ■ ■ ■ P K — > Q± ■ ■ ■ Q K : gij i-> hij for all i and 
j extends to an isomorphism ift : Pi ■ ■ ■ P K — > Q± ■ ■ ■ Q K where tp[Pij] = Qij for i < k and all j. 
For (ft G ]sOg(a)i-th{a) («^> S') eac h 4>i '■ G — > Qi be defined by (fti(g) = hi for g G G where (ft(g) = 
hi ■ ■ ■ h£ and each hj G Qj. We define f : (ft t— > (ft where the map (ft : X(S,g(a)) — > X(S', h(a)) acts 
as follows for (ft G Iso g ( a) ^ h ( a) (S,S'). 

(a) For the root, (ft(Pi) = Qi- 

(b) For each node (xiPij) xlj .. mjXi _ 1 in T$ with x = x\---Xi and each Xk G Pk where i > k, 
i>{{x i P ij ) Xl> ... jXi _ 1 ) = (^[arjP i j])^ 1 ( x ) v ..^ i _ 1 ( x ) = {^{xijQij)^),...,^^)- 

(c) For each node {yiPij)^il...,y i _ 1 in T<?^ with x G G, y = yi ■ ■ ■ yi and each yk G Pk where i > k, 



(y),-,4>i-i(.v)' 



(d) For each node in T^ x) with x,y£G, (ft(y ix) ) = </>(y)M x V . 

(e) For each leaf node y^ in where x,y G G and A G {■<— , — >, =}, <ft(y^) = (ft(y)^ x ^ . 
Then f : IsOg^^^^S , S') : (ft — > (ft is a well-defined bijection. 

Proof. The proof is similar to that of Theorem 3.6 but is significantly more complicated due to the 
trees which were glued together and the generators which were fixed in Definition 10.3. Let (ft G 
^ so g (a)^h(a){S,S')- Observe that for ^ G Pi, (ft(gi) = (fti(gi) so <fo| Pj : Pi ->■ Qi is an isomorphism. 
We note that the maps <fti need not be homomorphisms; however, this is not necessary for our proof. 

We shall assume throughout that k < t since otherwise the proof is easy as we have |lso g ( a ) M .^( a ) (<S. 
\Iso(X(S,g(a)),X(S',h(a)))\ = 1. Then (d) is a special case of (c) so it suffices to consider the 
other four lines. 

We remark that we did not define (ft on all the nodes in the binary trees B (it) from Defini- 
tion 10.3. This is intentional as we defined (ft on the root and leaves of B(u) so there is at most 
one definition of (ft on the remaining nodes of B(u) which respects the edges (and we shall argue 
that it exists). 

By assumption, 0[-Pjj] = Qij for all i and j so the equalities in the definition of (ft hold. We also 
see that (b) applies to the root of each tree T xlj .„ >Xi in T$ where each Xj G Pj and i > n in two 
different ways. This is because the root {Pi+i) Xl: ..., Xi is identified with the node (xi) Xl: ,,_ :Xi _ 1 in T$. 

However, letting x = x 1 ■ ■ ■ x,, we have (ft{{Pi + i) Xl ,..., Xi ) = {Qi+i)^),...^) and = 
Since (Qi+i)^),...^) is identified with (</>&)) fa^.^^ this isn't a 

problem. A similar issue occurs when (c) is applied to the root of the tree Ty^ m .., yi in T$ where 
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x G G, each yj G P, and i > k. However, there is no ambiguity in this case for exactly the same 
reason. Thus, (j) is well-defined. 

We proceed by proving that <fi is a injection. By definition 4> maps the root node of X(S, g(a)) 
to the root node of X(S',h(a)) and the nodes in the k th level of X(S,g(a)) to the k th level of 
X(S', h(a)). Thus, it suffices to consider nodes in the same level. Obviously, this condition holds 
for the root P\ of T$. We consider all of the remaining cases in the definition of <f>. Consider 
the nodes (xjPjj)^,...^^ and (yiPij) yit ... t y i _ 1 in T s with x = x 1 ---x i , y = y\---yi and each 
x k ,y k G P k where i > k. Suppose that 0((xjP i j) Xl) ... )Xj _ 1 ) = <f>((yi p ij) yi ,..., yi _ 1 )- Then we have 
{^{x^Qij)^)^..^^) = {(p(yi)Qij)My),-^-i(y) which implies that <p k (x) = <j> k (y) for 1 < k < 
i — 1. Then = ^ for 1 < k < i — 1 so (p(xi)Qij = 4>{yi)Qij and it follows that XiPij = yiPij. 

Suppose ${{yiPii)w > ,.--,Vi-i) = Hi z i p ij)^il-,zi-i) w ith x > w G G, y = yi---yi, z = z\---Zi and 
each G P fe where i > k. Then (^(yi)Qij)^(^... i0 ._ l(2/ ) = (H z i)Qij)^f,..., (t>i _ 1 ( z y Thus i 

= </)(u>) so i = to. Hence, 0fe(y) = </>fc(z) for 1 < k < i — 1 so x k = z k for 1 < A; < i — 1. 
Then <f>(yi)Qij = 4>{zi)Qij so yiPij = ZiPij. It follows from the definition of (f> that it also acts as 

(x) 

an injection on the leaf nodes y x . Thus, 4> is an injection and hence a bijection. 

We now argue that <fi respects all colors. It follows from our definition that (f> respects the colors 
"left", "right", "equal", and "root" on all nodes. For a node (xiPij) xl ^„ tXi _ 1 colored "not identity" 
where x = x 1 ---x i , each x k £ P k and % > n, we have i>({x i P i j) xl!m .. jXi _ 1 ) = {^{xijQij)^)^..^^) 
which is also colored "not identity". Similarly, for a node {yiPij)y X 1 ]...,y i - 1 colored "not identity" 
where x G G, y = y x ■ ■ ■ yi, each y k G P k and i > k, we have H(yi p ij)yi]-,y t -i) = (0(y^Qij)^(y)]...,<j ) ,_ 1 (y) 
which is also colored "not identity". Therefore, <p also respects the "not identity" color. Since <j> is 
a bijection, we can apply the same reasoning to I (j> I to show that a node in X(S, g(a)) is colored 



not identity if and only if its image under cj) is colored not "identity" . It follows that 4> respects the 
"internal" color. 

We denote by W Q ) ( x ) the position of x G Pi ■ ■ ■ P K in the order on P\ - ■ ■ P K determined by 
^g(a)- Recall that the node (x k ) X1; „_ jXk _ 1 has color i g r a \(x) where x = x\---x R and each xj G 
Pj. It follows that (x k ) Xi ,... jXk _ 1 and 0((x«) X1) ... jXk _ 1 ) = (^(x K ))^ 1 ( x ) v .. ) )t _ 1 ( x ) have the same color 
^g(a){ x ) = ih{a){y) by Proposition 10.1 where y = 4>i(x) ■ ■ ■ (f> K (x) = <p{x). Similarly for x G G, 

and U{VK)v X u-,vn-i) = ^(y^)) { S,...,4> K -i(y) have the same color = 
where y = y\ ■ ■ ■ y K , z = (f>i(y) ■ ■ ■ 4> K {y) = 0(y) an d each yj G Pj. Hence, cj) respects all the colors. 

Our next step is to show that <p respects the tree edges. There are two types of tree edges: 
those which come from a binary tree B(u) constructed according to Definition 10.2 and those which 
come from the copies of the trees T(Si) in Definition 10.3. We start by considering the edges which 
come from the binary trees. For a node (x re ) Xli ... jX(t _ 1 where x = x\ ■ ■ ■ x K and each Xj G Pj, we 
have ^((a^s!,...^!) = {Hxk))^),...,^^)- Let u be the ordering of the nodes (x«) x1 ,..., Xk _ 1 
from Definition 10.3; similarly, let v be the ordering of the nodes (4>(x K )) ( j, 1 ^ Xl y_ ^ XK _ 1 y As we 

already noted, Proposition 10.1 implies that <fi maps the k th node in u to the k th node in v. By 
Definition 10.2, the trees B(u) and B(v) depend only on the orderings u and v and not the labels 
x\---x K and 4>i{x\) ■ ■ ■ 4> K {x K ). Thus, there exists a unique definition of <fi on the intermediate 
nodes of B(u) which respects the edges of B(u) and B(v). Similarly, Consider a node (y K )y X i,-,y K -i 
where x G G, y = y\ ■ ■ ■ y K and each Vj G Py, we have <£((j/ /s )jii!... ) y ( «-i) = (Hy*))^)]...^^)- We 
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fix x G G and let u be the ordering of the nodes (y K )yl]...,y K - 1 for all yj G P, from Definition 10.3; 

similarly, let v be the ordering of the nodes {^{Vii))^^y\ My t ) f° r an e ^j- Proposition 10.1 

again implies that (f> maps the k th node in u to the /c th node in v. It follows that there exists a 
unique definition of <p on the intermediate nodes of each B(u) which respects the edges of each 
B(u) and B(v). 

Next, we consider the edges which come from the trees T Xlv .. jXi _ 1 in Definition 10.3 where each 
Xfc G Pfc and i > k. Consider an edge between the nodes (yiPij) yi ,... ; y i _ 1 and 
where x = xi---Xj, y = yi'''y%, each Xk,yk G Pfc ; x^ = for k < i and i > k. Then 
yi-Pij C XiPij+i so 0[yjPij] C ^[xiPjj+i]. Thus, there is an edge between <t>((yiPij) Xl ,...,x i _ 1 ) = 

((f>{yi)Qij)<Pi(x),-,<l>i-i(x) and ^((^-fij+i)^,-,^-!) = (0(zj)Qj,j+i)0i(z)>---A-i(z)- Consider an edge 
between the nodes (^Pjj)^...,^.! and (yiPi,j+i) y X i,..., yi -i where x G G, z = z\ ■ ■ ■ z i} y = y\ ■ ■ ■ yi, 
each Zk,yk G Pfc, = yt for k < i and i > k; we again have ZjPy C j/jPjj +1 and so the same 

analysis shows that there is a tree edge between 4>{(ziPij) y x 2...,y i _ 1 ) = {4>{ z i)Qij)^^ ^ an d 

We now consider the cross edges. Suppose that xy = z where x,y,z G G; we will show that the 
edges from y+0) to x$ and from xty to y~= are preserved by 4>. By definition, we have 



W*)) = mt {x)) 

4>( x (y)) = cj){ x )^y)) 

Since (j) : G — > H is an isomorphism, cj)(x)(f>(y) = 4>(z) so there are cross edges from (j)(y)+t^ x ^ 
to (f>(x)^ y ^ and from (f>(x)^ y ^ to <p(y)=^\ Since X(S,g(a)) and X(S',h(a)) have the same 
number of edges, it follows that there is an edge between two nodes in X(S,g(a)) if and only if 
there is an edge between their images under (f> in X(S',h(a)). Thus, <j> is an isomorphism so we 
have shown that / : <fi i— y (f> is a map / : IsOg^^h^ (S, S') -> Iso(X(5, <?(<*)), X(<S', fc(a))). 

It remains to show that / is bijective. Suppose that (fti,<p2 £ ^ so g(a)^h(a){Si an d 01 = 02- 
Then in particular we have 4>\{x) = 02 (x) for x G G so 0i(x) = 02 (x) and 0i = 02- Therefore, / 
is injective. Our final task is to show that it is surjective. Let 9 G lso(X(S,g(a)),X(S',h(a))). 
Because the roots Pi and Q\ of X(S,g(a)) and X(S',h(a)) are the only nodes colored "root", 
we have 6 (Pi) = Qi and 9 maps the k th level of X(S,g(a)) to the k th level of X(S',h(a)). In 
particular, a restriction of 9 is a bijection from the nodes x G G of T5 to the nodes y £ H of T$i. 
Then the map : G — > : x H> 0(x) where x G G is a node in T$ is a well-defined bijection. 

We now claim that for any node y( x ) in T^ x \ 9(y^) = <p(y)^ x ^. We know that for x G G, 
T<?^ is rooted at the node x of 7$ and 0(x) = 0(x) by definition of 0. It follows that the node 

9{yW) is in T^ {x)) ; similarly 0(aj(»)) is in T^ {y)) . Hence, we can write 9(y^) = 0(6)^)) and 
9(x^) = 4>(a)&( y ^ for some a, b G G. We know that in X(S', h(a)), the unique shortest path from 
0(x) to 0(y) that passes through a node colored "left" and later a node colored "right" follows the 
tree T^ {x)) to <f>(y)M x », then the path {(f)(y)^\ (f>(y)¥ (x)) , (f>(x) { 4 {v)) , and then the tree 

rjf to 0(y). On the other hand, we know that the path (0(6) W*)), <f>(b)¥ {x)) , 4>(a) ( 4 (y)) , 0(a) (M))) 
exists in X(S', h(a)) by definition of a and 6. Then a shortest path that passes through a node col- 
ored "left" and later a node colored "right" from (f>(x) to 4>(y) follows the tree T^ x ^ to 4>(b)^ x ^\ 
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then the path (0(o)W*)), (f>(b)t {x) \ ^(a) ( 4 {y)) , 0(a) and then the tree T^ (y)) to 0(y). From 

uniqueness, it follows that 0(x) = 0(a) and 0(y) = (j)(b) so x = a and y = b. Thus, for any node 

y (x) in = 0(y)W>(*)). 

Now, we show that is an isomorphism. We have already argued that it is bijective. Let 
x,y G G and set z = xy. Then 6 maps the path (y+0) , x^ , ?/= "* ) in X(<S, <7(a)) to the path 
(<p(y)^ x ^ , (f>(x)4^\ 4>{y)= ^) in X(S',h(a)). Since 6* preserves colors, the colors of the nodes in 
this path are ("left", "right", "equal"). We conclude that 0(x)0(y) = 4>(z). By definition of z, it 
follows that is an isomorphism from G to H. 

We now assert that <j>[Pij] = Qij for all i and j. We know that 9 maps the node (x k ) X1: ,,, :Xk _ 1 
which is colored i g i a )(x) where x = x±---x K and each Xj G Pj to a node (y K )yi,...,y K -i which is 
colored ih(a)(y) = ig(a)( x ) where y = y\ ■ ■ ■ y K and each yj G Qj. By assumption, the mapping from 
the generators g(a) to h(a) extends to an isomorphism from ip : P± ■ ■ ■ P K — > Q± ■ ■ ■ Q K (which must 
be unique). By Proposition 10.1, we see that i g ( a )(x) = ih(a){^{ x ))- It follows that 9{x) = tp{ x ) 
which implies that 4>(gij) = hij and 4>[Pij] = Qij for % < k and all j. 

Now suppose i > k and fix j. Because (f> is an isomorphism, 0(e) = e so 9(e) = e. It follows that 
9 maps the unique shortest path from Pi to e in T$ to the unique shortest path from Q± to e in 
Ts'. Then 9((Pij) xl: ,,_ :Xi _ 1 ) = {Qij) yi ,..., yi _ 1 where each Xk = e and each y^ = e for k < i. Consider 
the paths of the form 



{(Pij)xi,...,x i ^ 1 j {XiPij-l)xi,...,x i - 1 j ■ ■ ■ i { x iPio)xi,...,x i - 1 , {Pi+l,m i+l -l)x\,...,Xii ■ ■ • j {Pio)xi,...,xi-i ) (1) 

where Xj / e G P%j and = e for all k 7^ z. We note that this is the unique shortest path to the 
node x = Xj G Pjj. Moreover, at least one of the nodes on this path is colored "not identity". Since 
none of the nodes on the unique shortest path from (Pij) xll ..., Xi _ 1 to e are colored "not identity", we 
see that the paths of the form of Equation 1 are exactly the unique shortest paths from (P^j) xi,...,xj_i 
to the non-identity nodes x £ Pij of T$ . We can also think of the paths of the form of Equation 1 
as the paths from (Pij) Xl ,...,x i ^ 1 to nodes z G G which pass through nodes labelled "internal" until 
reaching a node (xiPik)xi,...,xi_i which is colored "not identity" where 1 < k < j such that after 
this point, they only pass through nodes which are colored "not identity". Applying the same 
argument, we find that the paths of the form 



— • • • j (yiQio)yi,...,yi-u (Qi+l,m i+ i — > • • • > (Q(.o)y\,...,yi-\ ) (2) 

where y\ 7^ e G Qij and yk = e for all A; 7^ i are the paths from (Qij) yi ,...,y i _ 1 to nodes w £ H 
which pass through nodes labelled "internal" until reaching a node (yiQik)y 1 ,...,y i _ 1 which is colored 
"not identity" where 1 < k < j such that after this point, they only pass through nodes which are 
colored "not identity". 

We have already established that 9((Pij) xlj _„ tXi _ 1 ) = (Qij) yi) ... ) y i _ 1 so it follows that 9 maps each 
path of the form of Equation 1 to a path of the form of Equation 2. Since we already know that 
9(e) = e, this implies that 9 maps the nodes in Pij to the nodes in Q^; it follows that 4>[Pij] = Qij. 

Therefore, is an isomorphism from S to S' which respects g(ct) and h(a). Then 9 = 0. Hence, 
we have proven that / is a bijection. □ 

Theorem 10.9. Let (G,V,S) be a Hall composition series. Then we can compute the canonical 
form Can(5) of (G,V,S) in n O0°gn/iogiogn) time . 
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Proof. We transform the Hall composition series (G, V, S) into a Hall composition series with fixed 
generators. Let us define a = log nj log log n. We reindex so that pi > pj for i < j. Recall that 
our construction of the graph X(S,g(a)) in Definition 10.4 is only defined when p\ > a. The 
reason for this is because it simplifies the correctness proof and definitions (which are already quite 
complex) and is not due to any fundamental difficulty. However, a side effect is that it makes the 
present proof slightly more difficult. We first assume that p\ > a and then show a simple trick 
which reduces the general case to the case where p\ > a. As before, we start by showing a complete 
polynomial-size invariant Inv(5) and then use it to obtain a canonical form. 

Suppose p\ > a and let k be the largest value of i such that pi > a. We compute the set Q a = 
{g(a) = (#1,1, . . . ,ffi, mi , . • • ,g K ,i, ■ ■ -,gK,m K ) I {gij+iPij) = Pij+i/Pij for each i < k} of all possible 
choices of representatives for the factor groups Pj + ij/Pjj where i < k. For each g{a) £ Q a , we 
construct the Hall composition series with fixed generators (G, V, S, g(a), n, a) and compute the 
graph X(S,g(a)). We then compute the canonical form of each X(S,g(a)) and store the results 
in a list A. We sort A lexicographically and choose the lexicographically smallest element of A to 
be Inv(S) of {G,V,S). 

We already know from Lemma 10.7 that |Inv(5)| = poly(n). We now argue that if (H, Q,S') 
is a Hall composition series then S = S' if and only if Inv(tS) = Inv(tS'). First, if Inv(5) = Inv(5') 
then there exist g(a) £ Q a and h{a) £ H a such that (S,g(a)) = (S',h(a)) by Corollary 10.6 
which implies that S = S'. Now suppose that S = S' . Then for each g(a) £ Q a , there exists 
h(a) £ T-L a such that (S,g(a)) is isomorphic to (S',h(a)). Similarly, for each h(a) £ H a , there 
exists g(a) £ Q a such that (S',h(a)) is isomorphic to (S,g(a)). Let A be the sorted list of the 
canonical forms of the graphs X(S,g(a)) where each g(a) £ Q a ; similarly, let B be the sorted list 
of the canonical forms of the graphs X(S',h(a)) where each h(a) £ T-L a . Then A = B by the 
above argument so Inv(<S) = Inv(iS'). Thus, Inv(5) is a complete polynomial-size invariant. 

We claim that the above procedure runs in n c, ^ logn//loglogn ) time. Note that log a n = 0(logn/ log log 
Because pi > a for i < k, \Q a \ < n°( lo s n / ^logiogn) _ g ra ph X(S,g(a)) has at most 0(n 2 ) nodes 

and degree at most maxja, 4} by Lemma 10.7. Thus we can compute the canonical form of each 
X(S,g(a)) in = n O(iogn/iogiogn) timg ^ Computing the canon j ca i forms for all n O(i°g™/i°giog™) 

graphs takes a total of n O(i°g«/i°gi°s™) time Sorting the n O(i°g™/i°gi°g™) canonical forms of the 
graphs also takes n O(iogn/\ogio g n) time go the overall runt ime is n O(iogn/iogiogn)_ 

To complete our argument for the case where p\ > a, we show how to compute the canonical 
form Can(5) from Inv(<S) in polynomial time. Recall that Inv(5) = C&n(X(S,g(a>))) for some 
g{a) £ Q a so there exists an isomorphism 9 : X(S,g(a)) — > C&n(X(S,g(a))). First, we find the 
root node 6(P\) of Can(X (S , g(a))) which is easy since it is the only node colored "root." The 
nodes of the form 0(x) where x £ G are simply those nodes which are some distance d from the 
root. The distance d is equal to the sum of the height of the binary tree T which represents the 
elements of the group P±- ■ ■ P K and the heights of the trees T(Si) for k < i < I. The height of T 
is [log \P\ ■ ■ ■ P K \] = \^ogY\j =1 p^ j ] ; the height of T(Si) is simply the length of Si which is since 
Si is a composition series for the pj-group Pi. Thus, d depends only on the order n of G. Then 
we can find the elements 9{x) for x £ G of Can(X(<S, gr(a))) by breadth-first search. For each such 
x £ G, we then define Xg(0(x)) to be the index of 9{x) in the sequence of nodes 9{x) where x £ G 
obtained in the breadth-first search. Thus, Ac : 9[G] — > [n] is a bijection. 

Let x,y £ G; we will now show how to compute 6{xy) from Can(X(«S, g(a))) given 9{x) and 
9{y). Note that in X(S,g(a)), there is a unique shortest path from x to y that passes through a 
node colored "left" and later a node colored "right" ; namely, this is the path which follows the tree 
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from x to y^ x \ (y^ x \ y^- , x% , x^ ) and then the tree to y. Thus, given nodes 9{x) and 
9(y) in Can(X(S,g(a))), we can find the nodes 9(y^) and 9(x^) in Can(X(5, g(a))). Once this 
has been done for all x,y £ G, the multiplication table M'(G) defined by the rule 6(x)6(y) = 9(xy) 
can be determined by inspecting the multiplication gadgets in Can(X(5, g(a))). 

Using the multiplication table just computed, we can find the node 9(e) in Can(X(S')) which cor- 
responds to the identity. Now since 9 is an isomorphism, it maps unique shortest path from the root 
Pi to e in X(S , g(a)) to the unique shortest path from the root 9(P\) to 9(e) in C&n(X(S, g(a))). 
For i > k, let Xk = e for k < i; the node 9((Pij) Xl: ... :Xi _ 1 ) in Can(X(S,g(a))) is then the node at a 
distance of [log Ylj=i Pj J ~\ + X^=L+i e j + m i~ 3 from the root 9(P\) along the unique shortest path 
to 9(e) in Can(X(5, g(a))). Thus, we can find the node 9((Pij) Xlt ,,, tXi _ 1 ) in Can(X(S,g(a))) which 
corresponds to each Pij where i > n. Moreover, for each i > k, the nontrivial elements x G P^ 
in X(S,g(a)) are precisely the nodes y G G which can be reached from the node (Pij) Xlt ..., Xi _ 1 
where each Xk = e for k < i and Xi G Pij by moving away from the root through nodes colored 
"internal" until reaching a node (xiPik) Xlt ..., Xi _ 1 which is colored "not identity" and then through 
nodes colored "not identity" until reaching Xi G G. Thus, we can find these nodes by breadth-first 
search on C&n(X(S,g(a))). 

It remains to show how to find the nodes of the form 9(x) in C&n(X(S, g(a))) for x G Pij 
where i < k. Let u be the vector of elements oi P\ ■ ■ ■ P K ordered according to ~^ g ( a ) as defined in 
Definition 10.3. Recall from Definition 10.3 that the k th element of u was colored k in the binary 
tree T. From Proposition 10.1, we know that the first elements in the order ^ g ( a ) are the identity 
followed by the elements of g(a). This allows us to locate the elements of the form 9((x k ) X1i „. jXk _ 1 ) 
in C&n(X(S, g(a))) where each Xj = e for j ^ k and Xk £ Pt is an element of the vector g(a). 

Now we find the nodes of the form 9(x) in C&ia(X(S,g(a))) where x is an element of the 
vector g(a). We can write x as the product x\ ■ ■ ■ X£ where Xj = e for j ^ k and Xk G Pk is an 
element of the vector g(a). Thus, the node for x can also be written as (xi) xl ^_, jXe _ 1 . Note that by 
Definition 10.3, (x k ) X1) ,,, )Xk _ 1 is colored "not identity." Moreover, there is a unique path from the 
node (x k ) x1: „_ :Xk _ 1 which moves away from the root and passes through nodes which are colored 
"not identity"; since this path is from (x k ) X1j „_ jXk _ 1 to (xe) Xlj ... jXe _ 1 , we can find each node of the 
form 9(x) in C&n(X(S,g(a))) where x is an element of g(a). 

Recall that g(a) = (g lt i, . . .,gi >mi ,. ■ -,g K ,i, ■ ■ ■ ,g K ,m K ) where (gij +1 Pij) = Pij +1 /Pij. Since u 
starts with e followed by g(a), we can find the node 9(gij+i) which corresponds to each ftj+i for 
i < k. Using the multiplication table M'(G) which we computed previously, we can then determine 
the nodes of the form 9(x) in Can(X(S,g(a))) where x G Pij+i for i < k. 

At this point, for each P^ we know the nodes of the form 9(x) where x G Pij. Since Pi = Pi tmi , 
we have all the information that is required to construct Can(5). Define (f> = 9\ G and tpc = ^cft- 
Let M(G) be the n x n matrix with elements in [n] defined by M(G)^ G ^^ G ^ = ipc(xy) for 
all x,y G G. Thus, we can compute ip[Pi] and ipa[Pij] for each i and j. We then set Can(5) = 
(M(G), Y> G [Pi], . . • , MPe],MPio], ■ ■ ■ AG[Pi,m % ], ■ ■ .*[Pffl], • • • , MPe,m e }) as in Definition 9.8. 

We claim that Can(5) is a canonical form for S. Let (H, Q, S 1 ) be a Hall composition series. By 
construction, ipc '■ G — > [n] is an isomorphism from G to the group described by the multiplication 
table M(G). If Can(5) = Can(S') then ipj^tpc is an isomorphism from S to S' so S = S' . 
Suppose that S = S'; then Inv(5) = Inv(5'). Since we computed Can(5) deterministically and 
this computation depends only on Inv(5), n and the composition length of each Pi and , it follows 
that Can(S) = Can(S')- 

We have shown how to construct a canonical form when pi > a. Now suppose that p\ < a after 
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reindexing so that pi > pj for i < j. We choose a prime 2a < q < 4a which exists for sufficiently 
large n by Bertrand's Postulate. We then construct a new group G = 7L q x G and consider the Hall 
composition series (G,P,S) where P = V U {l^q} and S = S U {{e} <iZ g }. We note that \G\ = qn 
and q > 2a. Moreover, 



(3 = log(qn) j loglog(gn) 
log q + log n 
log (log g + logn) 
2 log n 
~~ log logn 
= 2a 

so q > (3. Thus, we can compute a canonical form Can(5) for the Hall composition series 
(G, P, S) in time 



(•g n )0(log(gn)/loglog(<?n)) _ ^^0(logra/ log logn) 

= n O(logn/ log logn) since g < n 

For some g(a) G ^, we have Can (S) = Can(X (S, g (/?))). Let : X(S,g(P)) -»• Can(X (5, £ (/?))) 
be the isomorphism which was used to define Ag. Let / = {Ag(#(x)) | x G G} C [nq] and define 
p<5 : / — > [n] : \q(9(x)) h- >■ A; where Ag(#(x)) is the k th smallest element of I. Let tpc = Pg^g@- By 
Definition 9.8, Can(5) contains Vg[-Pj] and tpaiPij] f° r each i and j. Moreover, we can extract a 
multiplication table M(G) from M(G) by deleting all rows and columns except those which corre- 
spond to elements of ipc[G] (which we can compute deterministically in the same manner as before). 
Set Can(S) = (M(G), Vg[^i], • ■ ■ , V>g[^], ^g[Ao], ■ ■ • , ^[A.mJ, • • ■ , V>g[^o], ■ • • , V'G^mJ) as in 
Definition 9.8. 

Finally, we prove the correctness of our reduction from the general case. Let (H, Q, S') be a 
Hall composition series. By construction, tpc '■ G — > [n] is an isomorphism from G to the group 
described by the multiplication table M(G). If Can(5) = Can(«S') then i/;^ ipc is an isomorphism 
from S to S' so S = 5'. Suppose that S = S' . This implies that S = S' so that Can(5) = Can(<S'). 
Since we computed Can(S) deterministically and this computation depends only on Can(S), n, q 
and the composition length of each Pi, it follows that Can(5) = Can(S'). □ 
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C Variants of the generator-enumeration algorithm 



In this section, we derive more efficient randomized and quantum versions of the generator-enumeration 
algorithm using collision detection. We also show how to modify the generator-enumeration algo- 
rithm for the group canonization problem. These algorithms are based on sorting the rows and 
columns of the multiplication table according to the ordering from Proposition 10.1 — a technique 
which was introduced by Wagner [39]. 

Definition C.l. Let G be a group and let g be an ordered generating set for G. There is a unique 
order < g on the elements of G by Proposition 10.1. We relabel each element of G by its position 
in the ordering z< g ; the elements of G are then labelled by [n]. We reorder the rows and columns 
of the multiplication table of G so that the elements for the rows and columns appear in the order 
1, . . . , n and denote the result by M g . 

Lemma C.2. Let G and H be groups. Let Qi and T-Lg be the collections of all ordered generating 
sets of G and H of size at most I and define Mg{G) = {M g \ g G Qt\. 

(a) For each g G Q, the group defined by the multiplication table M g is isomorphic to G. 

(b) IfG^H then M e (G) n M t {H) = 0. 

(c) M f (G) = M e {H) if and only ifG^H. 

(d) If (ft '■ G —7- H is an isomorphism, then the map : Mi(G) — > Mi{H) : M g i— >■ Mh where 
h = 4>{g) is the vector obtained by applying (ft to each element of g is the identity. 

Proof. Observe that for any g G Ge, the group defined by the multiplication table M g is simply 
the multiplication table of G up to the relabeling performed in Definition C.l. Thus, this group 
is isomorphic to G which proves (a). For part (b), if G ^ H but M G M e (G) n M e (H) then G 
would be isomorphic to the group defined by the multiplication table M which is also isomorphic 
to H. For part (c), we already know from (b) that if G ^ H then Mg(G) n M e (H) = so that 
Mg(G) 7^ Mg(H). For the converse, we argue as follows. 

Fix an isomorphism (ft : G — > H and define as in the statement of the lemma. We claim 
that for every ordered generating set g of G, we have M g = Mh where h = (ft(g). We know from 
Proposition 10.1 that for x, y G G, x ^ g y if and only if (ft(x) <ft(y)- Since (ft{x)(ft{y) = (ft(xy) 
as (ft is an isomorphism, it follows that M g = Mh so <&(M g ) = M g . Thus, is the identity and 
therefore a well-defined injection. It remains only to show that Mg(G) is not a proper subset of 
M e (H). Consider the map : M e (H) -)• M e (G) : M h i-> M g where g = (ft^ih). The same 
argument implies that <£>' is an injection which shows that \Mg(H)\ < \Mg(G)\. It follows that 
M e (G) = M t (H) which proves (c) and (d). □ 

Theorem C.3. Let G and H be groups. Then we can test if G = H in 

(a) n log p n +°( 1 ) time for deterministic algorithms 

(b) n( 1 / 2 ) log p ra+0( ' 1 ) time for randomized algorithms 

(c) n( 1 / 3 ) log p ri+ ° ( ' 1 ) time for quantum algorithms 

where p is the smallest prime dividing the order of the group. 

Proof. Part (a) is immediate from the generator-enumeration algorithm. For part (b), we modify 
the generator-enumeration algorithm to use Definition C.l so that our collision argument applies. 

Let Qn and Tig be the collections of all ordered generating sets of G and H of size at most 
£ = log p n and define Mg(G) = {M g \ g G Ge}- We already know from part (c) of Lemma C.2 
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that Mi(G) = Mi(H) if and only if G = H. We guess subsets A and B of Qi and Hi of size 
n (i/2) iog p n+0(i) _ gy a co Hi s i on detection argument, if G = H then there exist g £ A and h £ B 
such that M g = with high probability. 

We compute M g and Mh for all g G ^4 and h £ B and store the results in the lists A and i? 
respectively. Since each M g and is an n x n matrix with elements in [n], we can sort these 
lists lexicographically. This takes only n^ i ° s p n+ ° ( - 1 \(l/2) log p n + 0(1)) log n = n ^^ los p n+ °^ 
time. Once A and B have been sorted, we can test if there exist g £ A and h G B such that 
M g = Mh by merging A and B and checking for duplicates. This yields our n ( - 1 / 2 - >log p n+0 ( 1 - > 
randomized generator-enumeration algorithm which proves part (b). For part (c), we use quantum 
claw detection [11] instead of guessing the subsets A and B uniformly at random. □ 

The argument of Theorem C.3 can also be used to obtain an n log p n+0 ^ algorithm for group 
canonization. First, we define the group canonization problem precisely. 

Definition C.4. Let G be a group G. We say that Inv(5) is a complete polynomial- size invariant 
for G if the following hold: 

(a) If G and H are groups then G = H if and only if lav (G) = lav(H). 

(b) \lav{G)\ = poly(n) 

Definition C.5. Let G be a group. We define the canonical form Can(G) to be an n x n matrix 
such that: 

(a) The entries o/Can(G) are elements of [n]. 

(b) Can(G) is the multiplication table for a group which is isomorphic to G. 

(c) Can(G) is a complete polynomial- size invariant. 

In the group canonization problem, we are given a group G and must compute Can(G). 

Theorem C.6. Let G be a group. We can compute a canonical form Can(G) for G in n, 1 °Sp n +°( 1 ) 
time where p is the smallest prime dividing the order of the group. 

Proof. Let Qi and Ht be the collections of all ordered generating sets of G and H of size at most 
i = log p n and define Mg(G) = {M g \ g G Qi}. We compute M^(G) and store the results in a 
list A; this takes n log p n+ °( 1 * > time. Because each M g is an n x n matrix with entries in [n], we 
can sort A lexicographically in n log p n+ °( 1 ) time. Let M g be the first element of A. We define 
Can(G) = M g . This is the lexicographically least element of M^G). We claim that G = H if and 
only if Can(G) = Can(fl'). 

There exist g G Qi and h £ Hi such that M g = Can(G) and M h = Caa(H). If Can(G) = 
C&a(H), then by part (a) of Lemma C.2, G is isomorphic to the group defined by the multiplication 
table M g = Mh which is isomorphic to H. Conversely, \fG = H then part (c) of Lemma C.2 implies 
that M e (G) = Mi{H) so that Can(G) = Can(tf). □ 
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D Algorithms for group canonization 



In this section, we adapt the deterministic variants of our algorithms for group canonization (see 
Definition C.5). First, we prove an analogue of Theorem 1.2. 

Theorem D.l. Group canonization is n^ 1 / 2 ) 10 ^™ 4 " ^ time deterministic Turing reducible to 
composition-series canonization where p is the smallest prime dividing the order of the group. 

Proof. We compute all of the n^ 1 / 2 - >log p n+ °^ 1 - > composition series for G which arise from some 
choice of socle decompositions in Algorithm 1 by Lemma 5.5. For each such composition series S, 
we compute canonical form Can(S') and store the result in a list A. We sort A lexicographically in 
n (i/2) iog p n+0(i) ^ me anc L se i ec t the first element Can(S) of A. By Definition 3.11, Can(5) contains 
a multiplication table M for a group with the underlying set [n] which is isomorphic to G. We 
define Can(G) = M(G) and claim that this is a canonical form for G. 

Let H be a group and suppose that Can(G) = Can(H); then G and H are both isomorphic 
to the group described by the multiplication table M(G) = M{H) so G = H. Conversely, assume 
that G = H. Then for every composition series S for G which is computed by Algorithm 1 for some 
choice of socle decompositions, there exists a choice of socle decompositions such that Algorithm 1 
computes a composition series S' for H which is isomorphic to S by Lemma 5.3. Similarly, for 
every composition series S' for H which is computed by Algorithm 1 for some choice of socle 
decompositions, there exists a choice of socle decompositions such that Algorithm 1 computes a 
composition series S for G which is isomorphic to S' by Lemma 5.3. It follows that the list A of 
canonical forms Can(5) of composition series for G is equal to the list B of canonical forms Can(S") 
of composition series for H. Therefore, Can(G) = C&n(H). □ 

This yields an algorithm for p-group canonization. 

Theorem D.2. Let G be a p-group. Then we can compute the canonical form Can(G) for G in 

n (l/2)logn+0(l) Ume 

Proof. By Theorems D.l and 3.12, we can perform p-group canonization in n/ 1 / 2 -* log p n+c P time for 
some constant c > 0. Let us call this algorithm A. From Lemma 6.2, we know that n*- 1 / 2 ) log p n+cp = 
n (i/2)io g n+0(i) for 2 < p < m n/2clnV Lemma 6.3 implies that n lo s p n+0(i) = n o(io g n/io g io g n) 

for p > lnn/2cln 2 p. We can define an algorithm which runs A when 2 < p < lnn/2cln 2 p 

and runs the algorithm of Theorem C.6 when p > lnn/2cln 2 p. The overall complexity is then 

n (l/2)logn+0(l)_ ! n 

Now we adapt our deterministic algorithm for solvable groups to perform canonization. 

Theorem D.3. Solvable-group canonization is n^ 1 / 2 - )log p™ +0 ^ 1 ^ time deterministic Turing reducible 
to Hall composition-series canonization where p is the smallest prime dividing the order of the group. 

Proof. Suppose that we have an algorithm for Hall composition-series canonization. Let G be a 
solvable group whose order has the prime factorization n = Yli=iPi l - The result follows from the 
same argument as Theorem D.l except that we use Hall composition series instead of composition 
series. Let p be the smallest prime which divides the order of G. By Lemma 9.6, the number of Hall 
composition series (G,V,S) for G for some choice of Sylow basis V = {Pi \ 1 < % < £} and some 
choice of socle decompositions in Algorithm 1 for computing each composition series Si £ S for 
Pi £ V is at most n 1 - 1 / 2 ) log p n +°( 1 ) . We compute the canonical form of every such Hall composition 
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series (G,V,S) and store the results in the list A. We sort A lexicographically and select the first 
element Can(5) of A. Recall from Definition 9.8 that Can(5) contains a multiplication table M(G) 
for a group with the underlying set [n] which is isomorphic to G. Let us define Can(G) = M(G). 

We can compute a Sylow basis V = {Pi | 1 < % < £} for G in poly(n) time by Lemma 9.4. All 
Sylow bases of G are conjugate by Theorem 7.5 so once we know a Sylow bases of G the others can 
be found in polynomial time. It follows that Can(G) can be computed using poly(n) preprocessing 
time and n*- 1 / 2 ) log p n +°( 1 ) calls to the algorithm for Hall composition-series canonization. 

Let H be a solvable group. We claim that G = H if and only if Can(G) = Can(H). If 
Can(G) = Can(if) then it follows that G and H are both isomorphic to the group described by 
the multiplication table M(G) = M(H) so G = H. Conversely, let us suppose that G = H 
and fix an isomorphism <p : G — >■ H. For any Sylow basis V = {Pi | 1 < i < £} of G, there is a 
Sylow basis Q = {Qi | 1 < % < £} of H such that 4> is an isomorphism from V to Q. Consider 
a set S = {Si \ 1 < i < £} where each Si is a composition series for Pi which arises from some 
choice of socle decompositions in Algorithm 1. Then Lemma 9.5 implies that there exists a set 
S' = {Si | 1 < i < £} where each S^ is a composition series for Qi which arises from some choice of 
socle decompositions in Algorithm 1 such that <p is an isomorphism from each Si to S[. Therefore, 
S = S' so for any Hall composition series that can be constructed for G for some choice of Sylow 
basis and some choice of socle decompositions, there exists a choice of Sylow basis and some choice of 
socle decompositions which yields an isomorphic Hall composition series for H. The same argument 
shows for any Hall composition series that can be constructed for H for some choice of Sylow basis 
and some choice of socle decompositions, there exists a choice of Sylow basis and some choice of 
socle decompositions which yields an isomorphic Hall composition series for G. It follows that the 
list A of the canonical forms of the Hall composition series for G contains the same elements as 
the list B of the canonical forms of the Hall composition series for H. Therefore, after we sort A 
and B, the two lists are equal so Can(G) = Can(i/). □ 

Theorem D.4. Let G be a solvable group. Then we can compute the canonical form Can(G) for 

G j nn (l/2)log p n+0(logn/loglogn) Ume 

Proof. This follows immediately from Theorems D.3 and 10.9. □ 
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E The flaws in Wagner's algorithm 



In this section, we describe the flaws in Wagner's n°( logri// lo s lo s n ) algorithm [39] for general composition- 
series isomorphism. The most serious of these is a dependence on the coset representatives chosen. 
As a result, Wagner's algorithm for composition series isomorphism only applies to the p-groups 
(and a slight generalization). Following communication with the author, Wagner attempted to fix 
this flaw in later revisions of his paper [40, 41]; however, the fix described in these versions contains 
a more subtle variant of the same problem and is therefore incorrect (see Subsection E.4 below). 
Moreover, the flaw in Wagner's attempted fix [40, 41] appears to be serious and we suspect that 
it cannot be salvaged without major changes (see Subsection E.5 below). After further discussions 
with the author, Wagner retracted his attempted fix [40, 41] in the latest revision of his paper [42] 
which scales back his claims so that only Subsection E.6 of this appendix is applicable. 

E.l Wagner's algorithm for general composition-series isomorphism 

Before describing Wagner's algorithm [39] for general composition series isomorphism, it is necessary 
to introduce his modification of the generator-enumeration algorithm for composition series isomor- 
phism. Let S and S' be composition series consisting of the subgroups Go = {e} < ■ ■ ■ < G m = G 
and Hq = {e} < ■ ■ ■ < H m = H. Then the generator-enumeration algorithm can be modified for 
composition-series isomorphism by guessing generators for each factor of S. Since composition 
factors are simple we now make use of a corollary of the classification of finite simple groups. 

Proposition E.l ([28, 23]). Every finite simple group has a generating set of size at most 2. 

We can find a generating set of size at most 2 for any simple group by brute force since there are 

only (2) possibilities. Then we find a generating set for each factor of S and choose representatives 

of the two cosets that generate the factor group. The resulting set is a generating set K for 

G. We then consider all mappings from K to H. If a is a lower bound on the order of each 

composition factor in S then at most 2 log a n elements of H must be guessed so the algorithm runs 
in n 2io ga n+0(i) time> 

Wagner's reduction from p-group composition-series isomorphism to graph isomorphism also 
applies to composition series for general groups. However, if some of the composition factors have 
large orders then the resulting graph can have high degree. In this case, bounded-degree graph 
isomorphism algorithms will perform poorly. Wagner's idea was to circumvent this problem by 
integrating his modification of the generator-enumeration algorithm into the reduction in order to 
eliminate the high degree nodes. To do this, fix a parameter a. For each composition factor Gj+i/Gj 
of S that has order greater than a, guess a generating set Ki of size at most 2 and representatives 
ai,bi £ Gj+i of the two cosets (if there is only one coset then set ai = bi). We then construct the 
graph X(S) as before (see Section 3) but then modify it to eliminate nodes of high degree. For 
each \Gi + i/Gi\ > a, remove the edges between the nodes in the sets G/Gj+i and G/Gi. For each 
xGi + i, consider the set C of nodes yGi C xGi + \ to which it was connected. Wagner noted that 
the elements of C may be written as xgGi where g is an element generated by Oj and bi. The 
generators a» and bi can also be used to define a total order on the elements g that they generate. 
Suppose this order is g\ -< ■ ■ ■ -< gk- The idea was to order the nodes in C as xgiGi, . . . , xg^Gi. A 
binary tree that has the nodes in C as its leaves can be constructed by attaching a new node to the 
two leftmost nodes in C. Next, we attach another new node to the next two leftmost nodes and 
continue until we have run out of nodes. We continue the process recursively on the binary trees of 
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depth 1 (and the singleton node on the far right if the cardinality of C is odd). This yields a binary 
tree with the nodes in C as its leaves. The root of this tree is then identified with xd+\. Finally, 
we color the nodes xaiGi and xbiGi special colors by attaching path graphs of constant length. 

We then construct the graph for S' in the same way. Let our guesses for the representatives of 
the generators of the factors Hi + \/Hi of S' which have order more than a be denoted d i and b\. 

E.2 The main flaw in Wagner's algorithm 

Let us denote by Y(S) and Y(S') the graphs that result from the process described in Subsec- 
tion E.l. These graphs have degree a + 0(1) so it can be decided if Y(S) = Y(S') in n a+ °^ time. 
Wagner claimed [39] that there is an isomorphism from S to S' that maps a, to a' { and bi to b\ for 
all % if and only if Y(S) = Y(S'). The problem is that the ordering xg\Gi, . . . , xg^Gi that was used 
to construct the binary trees depends not only on a, and bi but also on the coset representative x. 
For example, if we had chosen the representative z = xa^ 1 instead of x, then we would obtain a 
different ordering. 

This is unfortunate since if Wagner's result for general composition-series isomorphism were 
correct, our results would generalize to arbitrary groups. We remark however that if the orders of 
the composition factors decrease as we move away from the top group G in the composition series 
then Wagner's trick for fixing the generators works correctly. This is because in this case we have 
guessed all of the generators above each high-degree node in the tree so there is a unique choice of 
coset representatives. 

E.3 Natural attempts to patch the flaw 

We now discuss why various natural methods for fixing the flaw described in Subsection E.2 do not 
work. The most obvious idea is to simply guess all of the coset representatives x for every node 
xG{. This yields a correct algorithm which has a runtime that is much slower than the generator- 
enumeration algorithm. A slightly better idea is to determine the position of the composition factor 
Gi + \/Gi in S with cardinality more than a which is the farthest from the top of the composition 
series; we then guess representatives for the generators of the composition factors from the top 
of the tree down to this last large composition factor 6 . This fixes the problem of the ordering 
depending on which representatives x of each xGi are chosen; however, if the last composition 
factor in S has cardinality greater than a then this will involve guessing representatives for the 
generators of all composition factors in S. As a result, the worst-case performance of this approach 
is no better than the generator-enumeration algorithm. 

E.4 Wagner's attempt to fix the flaw 

Following communication with the author, Wagner revised his paper with a proposed fix [40, 41] 
for the flaw described in Subsection E.2. The revised construction is nontrivial and adds six pages 
to the last version without the proposed fix [39]. Wagner [40, 41] gives a sketch 7 of a correctness 
proof for the proposed fix but does not address the details and subtleties that would arise in a 
rigorous proof. Unfortunately, the proof is incorrect and the proposed fix fails to truly repair the 

6 This was proposed to us by an anonymous reviewer as a possible fix for Wagner's algorithm. 
7 The core of Wagner's argument is that the proof is essentially the same as before; this ignores the differences 
between the original construction and the revised version. 
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flaw. The result is a new algorithm which fails due to a more subtle dependence on the coset 
representatives which are chosen. Moreover, we shall argue that the revised construction [40, 41] 
breaks the structure of the group so it appears that it is not much closer to yielding an algorithm 
for general composition-series isomorphism than Wagner's previous algorithm [39]. In our work, 
we avoid this problem by exploiting the additional structure which exists in solvable groups. 

Wagner's idea for fixing the flaw is that the socle can be written as a direct product soc(G) = 
M\N\ where M\ contains the parts of the socle which result in large composition factors and N\ con- 
tains the parts of the socle which result in small composition factors 8 . Similarly, soc(G/soc(G)) = 
M2N2 where M2 consists of the parts of soc(G/soc(G)) which correspond to large composition 
factors and N2 corresponds to the parts which correspond to small composition factors. In general, 
it is necessary to continue this process recursively. However, in our case we shall assume that 
soc(G/soc(G)) = G/soc(G) since this suffices to illustrate the flaw. 

We can construct a composition series S for G which starts with the composition factors for M2, 
then N2, then M\ and finally N\. The problem with this is that we need to apply the generator- 
fixing trick to the composition factors which correspond to M2 and M\ without fixing the generators 
for the composition factors which correspond to N2. However, it isn't clear how to do this since 
we must fix generators for a continuous sequence of composition factors starting from the top of 
the composition series. Fixing generators for only M\ and M2 but not N2 runs into the problem 
described in Subsection E.2. Wagner's idea for fixing the flaw was to move M\ to the top of the 
tree so that M\ and M2 come before N\ and N2. 

Let Xi be a complete set of coset representatives for G/soc(G). Then any element of g G G can 
be written as g = x%yz for some i where y G Mi and z G N±. The revised construction is inspired by 
the fact that g = y Xi XiZ where y x = xyx^ 1 denotes conjugation. We construct a composition series 
for M\ and compute the corresponding tree T. The leaf nodes of T are labeled by the elements of 
Mi . For each leaf y G Mi of T, we attach a copy T y of the tree which corresponds to a composition 
series for G/soc(G). The nodes of each tree T y are labelled by the elements of G/soc(G). To each 
leaf node XjSoc(G) of each T y , we attach a copy T yx . soc ^ of the tree for a composition series of 
Ni. The leaves of each tree T yXiSOC ^ are labelled by the elements of N\ so now we must relabel 
them so that the leaves of all the trees T yx . soc rQ\ represent the elements of G. 

Wagner does this by setting the label of the leaf z G Ni in the tree T y XiSOC (a\ to yxiZ. The 
problem is that there is a strong dependence on the representatives X{. Let us fix some j and 
suppose that we replace Xj with Xj G XjSoc(G). Consider the element g = yxjZ where y G Mi and 
z G Ni. Then g corresponds to the node for z in the tree T yx . soc ^ when we use the original coset 
representatives Xi for G/soc(G). However, when Xj is replaced by Xj, then for some y G Mi and 
z G N\ we have 



g = yxjyzz 
= yy Xj XjZZ 
= yxjZ 

where y = yy x J and i = zz. Thus, when Xj is replaced by Xj, the node which corresponds 
g is ripped out of the tree T y x . soc ^ and associated with the node for z in the tree T y ^ XjSOC ^ = 



It is easy to compute M\ and N\ by calculating each minimal normal subgroup Li of G. Every minimal normal 
subgroup Li can be written as a direct product Ylj Sij where each Sij is simple and Sij = Sik for all j and k. Then 



we can compute Mi = H i: \ s . \ >a Sij and Ni = H i: \ s . . |< a Sij 
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Ty X soc (G). Moreover, y £ M\ and z £ iVi can be arbitrary depending on the choice of the 
representative Xj £ XjSoc(G). Thus, Wagner's revised construction for general groups does not 
respect the structure of G unless the coset representatives Xi are chosen in a consistent manner. 

The above construction can be made to work if we guess a complete set of representatives for 
the factor group G/soc(G) rather than just for the subgroups Mj. In fact, it is only necessary to 
guess representatives of a generating set of G/soc(G) since the representatives of a generating set 
determine a complete set of representatives. However, the resulting algorithm for composition-series 
isomorphism no better than the generator-enumeration algorithm in the worst case. This is in sharp 
contrast to the n°( logra//loglogra ) runtime obtained for p-group composition-series isomorphism. 

E.5 Can Wagner's attempted fix be fixed? 

Given the conclusions of Subsections E.3 and E.4, a natural question is whether the ideas in 
Wagner's attempt to fix the flaw [40, 41] can be made to work with minor changes. We will 
now present intuitive (but non-rigorous) arguments that the proposed fix [40, 41] fundamentally 
breaks the structure of the group and therefore cannot be salvaged without major changes. In our 
algorithm for solvable groups, we avoid this problem by using different techniques which exploit 
additional structure in solvable groups that manifests itself in the form of Sylow bases. 

To illustrate our arguments, we shall restrict our attention to a semidirect product Z p x Z g 
where p is a large prime and q is a small prime. Isomorphism testing for this class of groups can 
be done efficiently using specialized methods [15]; however, one can imagine more complex groups 
for which the similar problems arise 9 . Intuitively, applying Wagner's fix to this group would imply 
that we could reverse the semidirect symbol so that Z p x Ij q is the same as some semidirect product 
ZpKZ q . Of course, this is not possible for general semidirect products which suggests that Wagner's 
fix [40, 41] cannot be salvaged without significant new ideas. 

It is important to note that the arguments in this subsection are non-rigorous and it is not clear 
if they can be made more precise. However, any algorithm which is based on composition-series 
isomorphism must avoid breaking the structure of the group in this way. Our algorithm for the 
solvable groups surmounts this obstacle by utilizing special properties of solvable groups (namely 
Sylow bases) in the construction of the graph. 

E.6 Other flaws 

Wagner's algorithm [39, 40, 41, 42] also contains a second less serious flaw that can be fixed. In 
Wagner's algorithm [39] for constructing a composition series, he implicitly assumes that the socle 
of G is the direct product of all of the minimal normal subgroups 10 of G. This is incorrect as one 
can see by considering the socle of the group Zp. However, since Wagner represents the composition 
series using generators, this problem can be corrected without significantly affecting the runtime 
of his algorithm. In our case, we represent composition series as the subsets of G that correspond 
to the intermediate subgroups and the fact that the socle of G is not the direct product of all of 
the minimal normal subgroups of G has a significant impact on the runtime. Indeed, if the socle 
of G was the direct product of all minimal normal subgroups of G we could improve our reduction 
from group isomorphism to composition-series isomorphism to run in n°^ oglogn ^ time. 

9 For example, suppose that Z p and Z q are replaced by non-Abelian simple groups. 

10 The three most recent revisions of Wagner's paper [40, 41, 42] correct this error in the algorithm but do not 
properly account for the cost of choosing a subset of the minimal normal subgroups in the runtime. 
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F Group theory proofs 

In this section, we provide more results from group theory and fill in some of the proofs omitted in 
Section 2. 

Proposition F.l. If K char H char G then K char G. 

Proof. Let <j> G Aut(G). Then <j>[H\ = H so <j>\ H G Aut(tf). Therefore, <j>\ H [K] = K so K char G. 

□ 

Proposition F.2. If H char A < G i/ien H <G. 

Proof. Let x £ H and p G G. Clearly, i g (x) = x 9 £ N so i g \ N G Aut(A). Therefore, t g \ N [H] = H 
and // - : (,'. ' □ 

The following proposition follows from Proposition F.2. 

Proposition 2.1 (cf. [18, 43]). Every minimal normal subgroup is characteristically simple. 

Proposition F.3. Let G and H be groups and let (ft : G — > H be a homomorphism. 

(a) If K <G then 4>[K] < <j>[Q\. 

(b) IfL< 4>[G] then tfT^L] < G. 

Proof. To prove part (a), suppose that K < G let x G K and g G G. Then x 9 £ K so (p(x)^ 9 ^ = 
(f)(x 9 ) G 4>[K] and < <j)[G]. For part (b), suppose L < </>[G] and let x G (A" 1 ^] and 5 ^ G. 

Then (/)(x 9 ) = ^{xf^ £ L so x 9 £ □ 

Corollary F.4. Zei N be a normal subgroup of a group G and N < H < G. Then H/N < G/A^ 
z/ and on/y i/ < G. 

Proof. Let : G — >■ G/A be the canonical map. By Proposition F.3, if H < G then yfiJ] = -ff/A < 
G/A. Similarly, if i7/A < G/A then <p _1 [iJ/A] = H < G by Proposition F.3. □ 

Definition F.5. Let G and H be groups and let <f> : G — > H be a homomorphism. Then the kernel 
of (f) is denoted by ker (j) = {x G G | <fi(x) = e}. 

Proposition F.6. Let G and H be groups and let <f> : G — > H be a homomorphism. Then ker <f> < G. 

Proposition F.7 (First Isomorphism Theorem, cf. [22, 34, 33]). Let G and H be groups and let 
(p : G — > H be a homomorphism. Then G/kercp = 4>[G]. 

The second and third isomorphism theorems are actually corollaries of the first isomorphism 
theorem. 

Proposition F.8 (Second Isomorphism Theorem, cf. [22, 34, 33]). Let H be a subgroup of a group 
G and let K be a normal subgroup of G. Then HK/K = H/H n K. 

Proposition F.9 (Third Isomorphism Theorem, cf. [22, 34, 33]). Let H and K be normal subgroups 
of a group G. Then j^jjj = G/K. 

Proposition 2.2 (cf. [32, 18, 43]). A group is characteristically simple if and only if it is the direct 
product of isomorphic simple groups. 
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Proof. Suppose G is characteristically simple. Choose a minimal normal subgroup Nq of G. If 
No = G then G is simple. Consider a direct product H = Y\ i N of isomorphic minimal proper 
normal subgroups of G. If H = G, then we note that each N is characteristically simple. We thus 
argue by induction that each N is a direct product of isomorphic simple groups and we are done. 
Otherwise, H<G so there exists <\> G Aut(G) such that <j>[H] j£ H. Then for some i, N = (f>[Ni\ j£ H; 
because iV is a minimal normal subgroup of G, NnH = {e}. Since H < G, HN is a direct product 
of minimal normal subgroups of G. Thus, G may be written as a direct product of minimal normal 
subgroups and the result follows by induction on the subgroups N. □ 

We note that the converse of this result is also true. 

Proposition 2.3 (cf. [32, 18]). The socle of a group is a direct product of minimal normal subgroups. 

Proof. Let G be a group. If N± and N2 are minimal normal subgroups of G, then N± n N2 = {e}. 
Also, the elements of Ni and N2 commute so they form a direct product that is a subgroup of the 
socle. By continuing this process, we can write the socle as a direct product of minimal normal 
subgroups of G. □ 

Proposition 2.4 (cf. [37]). The socle and minimal normal subgroups can be computed in polynomial 
time. 

Proof. We assume G is nontrivial; if G is trivial then the socle and minimal normal subgroups of 
G are also trivial. For each nontrivial x 6 G, we test if x the normal closure (x) G of x is a minimal 
normal subgroup. Now (x) G < G so we check if (x) G is minimal. This is done by considering each 
nontrivial y G (x) G and computing (y) G which is the smallest normal subgroup of G that contains 
y. If (x) G = (y) G for all y £ (x) G then (x) G is minimal; otherwise, it is not minimal. Once we have 
computed the set M of all minimal normal subgroups of G, we simply take the subgroup generated 
by the minimal normal subgroups of G which by definition is the socle of G. □ 

Proposition F.10 (Jordan-Holder, cf. [32, 34]). The multiset of isomorphism classes of the com- 
position factors of a group is an isomorphism invariant. 

The following theorem can be proved using the class equation. 

Proposition F.ll. The center of every p- group is nontrivial. 

Corollary F.12. Every simple p-group is isomorphic to Z p . 

Proof. Let G be a simple p-group. Then its center Z{G) is a nontrivial Abelian group. It follows 
that there is an element x G Z(G) that has order p. The group H = (x) is contained in the center 
and is therefore normal in G. Since H is nontrivial, G = H = Z p . □ 

Theorem 2.5 (First Sylow Theorem, cf. [32, 22, 34, 1, 33]). Let G be a group and let p be a prime 
that divides its order. There exists a Sylow p-subgroup of G. 

One can in fact prove a stronger version of the First Sylow Theorem [32, 22]. 

Theorem F.13. The Sylow p-subgroups of G are the maximal p-subgroups of G. 

Theorem 2.6 (Second Sylow Theorem, cf. [32, 22, 34, 1, 33]). All Sylow p-subgroups of G are 
conjugate. 
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Theorem F.14 (Third Sylow Theorem, cf. [32, 22, 34, 1, 33]). The number of Sy low p- subgroups 
of G is equal to 1 mod p. 

Proposition F.15. Every composition factor of a p- group has order p. 

Proof. This follows from Corollary F.12. □ 

Proposition F.16. Let G be a group and let N be a normal subgroup. Then G/N is simple if and 
only if N is a maximal normal subgroup of G. 

Proof. Suppose N is a maximal normal subgroup of G and H/N < G/N for some N < H < G. 
Then by Corollary F.4, H < G so H G {TV, G}. It follows that G/N is simple. If G/N is simple then 
consider N < H < G. By Corollary F.4, H/N < G/N so H/N G {{N}, G/N}. Thus, H G {/V, G} 
so N is a maximal normal subgroup of G. □ 

Proposition F.17 (cf. [32, 34, 33]). Let S denote the subnormal series Go = {e} < ■ • ■ < G m = G. 
Then S is a composition series if and only if every factor group Gi+i/Gi is simple. 

Proof. By Proposition F.16, Gj+i/Gj is simple if and only if each Gi is a maximal normal subgroup 
of Gi+i; this is precisely the definition of a composition series. □ 

It is easy to show that p-group isomorphism is equivalent to nilpotent-group isomorphism. We 
prove this with the following three propositions. 

Proposition 2.7 (Kantor [20]). A Sylow p-subgroup of a group G can be computed in polynomial 
time. 

Proof. We start by computing the largest power p e of p which divides n. By definition, each Sylow 
p-subgroup of G is of order p e . From Theorem F.13, an equivalent definition is that a Sylow p- 
subgroup is a maximal p-subgroup of G. We start by choosing a nontrivial element g\ G G of order 
a power of p and computing the subgroup K\ = (gi) generated by g±. Then K\ is contained in some 
Sylow p-subgroup of G. If \K\\ = p e then we have a Sylow p-subgroup of G; otherwise, we choose 
a nontrivial element <?2 G G \ K\ of order a power of p which generates a subgroup K2 = (gi, 52) of 
order a power of p. By continuing this process until we obtain \Kj\ = p e , we can compute a Sylow 
p-subgroup in polynomial time. □ 

Proposition F.18 (cf. [32, 18, 34, 33]). A group is nilpotent if and only if every Sylow subgroup 
is normal if and only if it is a direct product of its Sylow subgroups. 

Proposition F.19. Nilpotent-group isomorphism is Turing reducible top-group isomorphism where 
each p divides n. 

Proof. Let G and H be nilpotent groups. Then the Sylow subgroups of G and H can be computed 
in time polynomial in n by Proposition 2.7. If the sets of the orders of the Sylow subgroups are 
different in G and H, we return G ^ H. We note that a group is nilpotent if and only if it is 
the direct product of its Sylow subgroups by Proposition F.18. Then we have the direct products 
G = Yli=i Pi an d H = nf=i Qi where Pi and Qi are Sylow p^-subgroups of G and H . Any 
isomorphism (f> : G — > H must satisfy <j>[Pj\ = Qi- Conversely, if 4>i : Pi — > Qi is an isomorphism 
for each i then we can easily define an isomorphism <ft : G — > H using the direct product structure 
of G and H. We have shown that G = H if and only if Pi = Qi for all i. Since the number of 
Sylow subgroups of G is at most log n, we can decide if G = H by making at most log n calls to 
our algorithm for p-group isomorphism. □ 
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G Composition series proofs 

We now provide the proofs omitted in Section 4. 

Proposition 4.2. The induced isomorphism is well-defined and is indeed an isomorphism. 

Proof. Let G and H be groups with normal subgroups N and N' . Let <p : G — > H be an isomorphism 
such that (f)[N] = N' . We see that 4>\ G / N is well-defined since if g\N = we have 



cf>\ G/N (giN) = faJN' 

= <p{g2n)N' for some n E N 
= <P{92)N' 
= Mg/n(92N) 



It is clear that <j>\ G , N is injective since <f> is injective; it is also easy to show that 4>\ G / N is 
surjective so <j>\ G i N is bijective. Clearly, <f>\ G , N is a homomorphism so it is an isomorhpism. □ 

Proposition 4.3 (cf. [33]). Let G and H be groups with normal subgroups N and N' . Let T 

be a subnormal series Kq = {N} <■■■<] K m = G/N for G/N and let T' be a subnormal series 
Lq = {N'} < ■ ■ ■ < L m = H/N' for H/N' . Denote the canonical maps by <p : G — > G/N and 
if' : H —7- H/N' . Let S be the subnormal series {e} <Go < ■ ■ ■ < G m = G and let S' be the subnormal 
series {e} <Hq< - • ■ < H m = H where Gi = and Hi = Lp'~ l [Li]. Consider an isomorphism 

(f) : G — > H where <j>[N] = N' . Then <p respects S and S' if and only if the induced isomorphism 
4>\ G i N '■ G/N —7- H/N' respects T and T' . 

Proof. Let (f> : G — > H be an isomorphism where (j)[N] = N' and suppose 0)^^ : G/N — > H/N' 
respects T and T'. We note that each K- L = Gi/N and Lj = Hi/N'. By assumption, (p\ G j N [Ki\ = Li 
for all i so 



<f>[Gi] = |J 4>[xN] 

= U *\q,n(? n ) 
xeGi 

= U yN' 

= Hi 

Thus, (f> respects S and S' . For the converse, suppose <p respects S and S' . Let xN E Kf, then 
x E Gi so 4>\ G ^ N (xN) = (p(x)N' E Hi/N' = Li and cf)\ G ^ N [Ki] C Lj. Since <p\ G / N is an isomorphism 
and \Ki\ = |Lj|, it follows that cf)\ G ^ N [Ki] = Li. □ 
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